A Service Principal Name (SPN) is a unique identifier for a service instance within a Kerberos authentication domain. Think of it as the service’s login credentials. It allows a client to securely authenticate with a specific service on a particular server. The common format for an SPN is service class/fully qualified domain name (FQDN)@REALM. For example, an SPN for an IMAP service might look like IMAP/[email protected]. User Principal Names (UPNs), on the other hand, identify users in the format user@REALM or user1/user2@REALM (indicating a “speaks-for” relationship where one user can act on behalf of another).
The service class component of the SPN essentially denotes the protocol used by the service, such as HTTP, SMTP, or LDAP. Microsoft provides a comprehensive list of built-in Windows service classes. Each SPN is registered within the realm’s Key Distribution Center (KDC) and associated with a unique service key. This process is crucial for secure authentication. The setspn.exe utility, found in the SupportTools folder of Windows installation media or as a Resource Kit download, manages the assignment of SPNs to computer or user accounts in Active Directory (AD).
When a user attempts to access a Kerberized service (a service utilizing Kerberos for authentication), they present an encrypted ticket obtained from the KDC, typically an Active Directory Domain Controller. This ticket is encrypted using the service key corresponding to the target service’s SPN. Decrypting the ticket allows the service to verify its identity and confirm possession of the correct key. While services on Windows hosts typically use the key linked to the AD computer account, adherence to the Kerberos protocol necessitates adding SPNs to Active Directory for each Kerberized service on the host, with the exception of pre-defined, built-in SPNs. These SPNs are stored within the servicePrincipalName attribute of the host’s computer object in Active Directory. This ensures secure and unambiguous identification of services for authentication.
