A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
For Win32 services, a service installer specifies the logon account when an instance of the service is installed. The installer then composes the SPNs and writes them as a property of the account object in Active Directory Domain Services. If the logon account of a service instance changes, the SPNs must be re-registered under the new account.
Example : Take SQL as an example. SQL services on the server would run with the service account. Here we will register the SPN with that service account (Some times SPN's will be registered automatically if service account delegated to Write servicePrincipalName under Service account attributes). This SPN will be used for Kerberos authentication.
Syntax to Register SPN's for SQL
setspn -s MSSQLSvc/ServerFQDNName Domainname\ServiceAccount
setspn -s MSSQLSvc/ServerFQDNName:ServicePortNumber Domainname\ServiceAccount
Get list of SPN's with one Service account
setspn -L Domainname\ServiceAccount
Stpes to Delegate Write servicePrincipalName permission to a service account
1. Open Service account properies using ADSIEDIT.MSC and go to Security Tab.
2. Click on Advanced Security --> Click Add. Click "Select a principal" and type in SELF and click OK. Leave the Type on "Allow" and change the Applies to: "Descendant User objects." Scroll way down and check the box that says "Write servicePrincipalName".
For Win32 services, a service installer specifies the logon account when an instance of the service is installed. The installer then composes the SPNs and writes them as a property of the account object in Active Directory Domain Services. If the logon account of a service instance changes, the SPNs must be re-registered under the new account.
Example : Take SQL as an example. SQL services on the server would run with the service account. Here we will register the SPN with that service account (Some times SPN's will be registered automatically if service account delegated to Write servicePrincipalName under Service account attributes). This SPN will be used for Kerberos authentication.
Syntax to Register SPN's for SQL
setspn -s MSSQLSvc/ServerFQDNName Domainname\ServiceAccount
setspn -s MSSQLSvc/ServerFQDNName:ServicePortNumber Domainname\ServiceAccount
Get list of SPN's with one Service account
setspn -L Domainname\ServiceAccount
Stpes to Delegate Write servicePrincipalName permission to a service account
1. Open Service account properies using ADSIEDIT.MSC and go to Security Tab.
2. Click on Advanced Security --> Click Add. Click "Select a principal" and type in SELF and click OK. Leave the Type on "Allow" and change the Applies to: "Descendant User objects." Scroll way down and check the box that says "Write servicePrincipalName".
