SPNs seem to get more and more use these days so I thought it be nice to give an explanation of what SPNs are.
SPNs are used for mapping a service to a user account. You will find SPNs used predominantly with Delegation and Impersonation and a lot of times this is between a web server and another server hosting a service that requires Kerberos authentication. The key here is that Kerberos authentication is required and thus this is primarily used within an organization or a trusted company. An example of this would be when an end user logs on to a web server which then logs on to a SQL server. The web server is trying to authenticate against the SQL server using the web users credentials but it doesn’t have the right to do that type of delegation. If that were the case I don’t think online banking would be…well online. :,,) Now this is only the case when the web and SQL instances are on separate servers. If they were on the same server you would not need to worry about SPNs.
Kerberos is the key here. Kerberos authentication happens all the time and is very common. The special part of Kerberos authentication is that it requires a ticket that ensures each party is who they say they are. This ensures that a hacker can’t impersonate another user. The only type of delegation that Windows allows is a Kerberos connection. In short the user knows how to contact and authenticate with the web server but has no idea who the SQL server is but needs data from it and needs to authenticate…thus delegation and impersonation needs to occur.
An SPN is a name that Kerberos clients use to identify a service for computer that is also using Kerberos. In fact you can have multiple instances of a service running on a system and each could have its own SPN. SPNs have a specific format that they use which looks similar to this – <service class>/<host>:<port>/<service name> The only parts that are required are the serviceclass and host. For example, HTTP/www.adminprep.com would be an SPN registration for any page on that webpage. You would use the port option if you wanted to specify a port with the service, like this – MSSQLSvc/sqlservername.adminprep.com:3411. More info on the formatting of SPNs can be found here.
SPN names can use short NetBIOS names or long FQDN names. I recommend always using FQDNs as you can have potential name conflicts in a multi-domain forest with short names.
For a more detailed looked into SPNs i’ve provided a few links below along with links to common issues. However the first place you should go is to this TechNet article.
Service Principle Name (SPN) Resources and Issues
- How to use SPNs when you configure Web applications that are hosted on Internet Information Services
- You receive an "HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
- How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005
- How to: Register a Service Principal Name (SPN) for a Report Server
- Service Logons Fail Due to Incorrectly Set SPNs
- Getting rid of the duplicate SPN in Active Directory
- Security Account Delegation
- Allow a user to be trusted for delegation for specific services