Subject: SPN's role in delegation chain
Author: Alex_Raj
In response to: Built-in SPNs Recognized for Computer Accounts
Posted on: 05/30/2006 08:35:02 PM
An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that services SPN to differentiate it from all of the other services running on that computer.
SPNs are critical to constrained delegation. When you set up a domain computer or user account for delegation, one step of the process is to list the SPNs of services on other computers that the computer is allowed to delegate to. This list forms a type of ACL. The services running on the other computers are identified by the SPNs that are issued to those services.
Multiple services can run simultaneously under the same account. Therefore, for each SPN that is set, you need these four unique pieces of information:
The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.
The account under which the service is running.
The computer on which the service is running, including any aliases that point to that computer.
The port on which the service is running.
These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
An SPN itself consists of three pieces of information, ServiceClass/Host:Port, where:
ServiceClass is the service class of the SPN.
Host is the name of the computer to which the SPN belongs.
Port is the port that the service the SPN is registered to runs on.
>
> On 05/30/2006 08:31:52 PM Alex_Raj wrote:
The built-in SPNs that are recognized for computer accounts are listed below. These SPNs are recognized for computer accounts if the computer has a HOST SPN. Unless they are explicitly placed on objects, a HOST SPN can substitute for any of the listed SPNs.
alerter appmgmt browser cifs cisvc clipsrv dcom dhcp
dmserver dns dnscache eventlog eventsystem fax
http ias iisad min messenger msiserver mcsvc netdde
netddedsm netlogon netman nmagent oakley plugplay
policyagent protectedstorage rasman remoteaccess replicator
rpc rpclocator rpcss rsvp samss scardsvr scesrv schedule
scm seclogon snmp spooler tapisrv time trksvr trkwks
ups w3svc wins www
References:
