Service Principal Names

Service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.

For information about registering service principal names in Active Directory at service installation, see the MSDN link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources .

Service Principal Names Syntax

A service uses the following elements to compose a service principal name.

The basic syntax of service principal name is as follows:

< service type >/< instance name >:< port number >/< service name >

where the elements of the syntax have the following meanings:

  • service type . Type of service, such as "www" for World Wide Web service or "ldap" for Lightweight Directory Access Protocol.

  • instance name . ** Name of the instance of the service. Depending upon the service type, it is either the name or IP address of the host running the service.

  • port number . Number of the port used by the service on the host, if it is different from the default for the service type.

  • service name . ** Name of the service. The name can be the DNS name of a host, of a replicated service, or of a domain; or it can be the distinguished name of a service connection point object or of an RPC service object.

If service name and instance name are the same, as they are for most host-based services, then a service principal name can be abbreviated to two components:

  • < service type >/< instance name >:< port number > If port number is a port number different from the default for the service type specified by service type , you must specify the port number.

  • < service type >/< instance name >

    • If port number is the default port number for service type , you do not need to specify the port number, which is intended to be compatible with the Generic Security Services API (GSS) form

For more information about GSS and SSPI, see "Authentication" in this book.

Creating the Service Principal Name

A client creates the service principal name for a service. A service principal name can be one of the following: the DNS name of a domain, the DNS name of a host, or the distinguished name of a service connection point object. The SPN is the same for any method of authentication. When using Kerberos to authenticate itself to a server, the client requests a session ticket for the service principal name; when using certificate-based authentication, the SPN is validated against the contents of the "SubjectName" field of the certificate of the server.

Host-Based Service Named in DNS

A host-based service is a service that is identified by the name of the host on which the service runs. In such cases, the service principal name is of the service is as follows:

< service type >/< host name >:< port number >

Or, if the service is using the default port for the service type specified by service type , then the SPN can be abbreviated to the following:

< service type >/< host name >

Services Named in the Directory Service

The service principal name for services named in the directory service has the following syntax:

< service type >/< host name >:< port number >/< distinguished name >

where the elements of the syntax have the following meanings:

  • service type . Type of service that is sought (for example, "print").

  • distinguished name . Distinguished name in the format specified by Request for Comments (RFC) 1779 of the Internet Engineering Task Force, of an instance of the service type service type (for example, "cn=bldg26,dc=ntdom,dc=reskit,dc=com").

  • host name . DNS name of the host running an instance of distinguished name .

  • domain name . Name of the domain that contains the account running the service specified by distinguished name (formed from the "dc=" components of distinguished name ).

For example, the service principal name for the print service for the NTDOM group in building 26 at Reskit, whose distinguished name is "cn=bldg26,dc=ntdom,dc=reskit,dc=com", which is running on nonstandard port number 1234 on host "prt1.ntdom.reskit.com", is as follows:

print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com

For more information about service principal names, see the MSDN link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources .