UPN vs SPN

Subject: UPN vs SPN
Author: Alex_Raj
Posted on: 05/18/2006 11:57:36 PM

UPN stands for User Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of

   <userID>@<DNS domain name>

UPN is stored in AD user account under attribute userPrincipalName which is a unique within the FOREST security boundary. That's why DNS domain name must be portion of it (except for NT).

SPN stands for Service Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of

   <serviceClass>/<host>:<port>/<serviceName>  

where

  <serviceClass> -- a string identifying the service
  <host>         -- a NetBIOS or NDS name identifying the machine on which 
                    the service is running.
  <port>         -- OPTIONAL, port number to which the service is listening
  <serviceName>  -- OPTIONAL

For example, a LDAP service running on machine myhost.mydomain.com listening to port 2389 takes a AD account with:

dn: cn=myhost,cn=user,dc=mydomain,dc=com
userPrincipalName: myhost@mydomain.com
servicePrincipalName: ldap/myhost.mydomain.com:2389

Replies:

What happens if SPNs are not correctly set? Alex_Raj 05/30/2006 08:23:52 PM
What happens if SPNs are not EVER set? Alex_Raj 05/30/2006 08:30:02 PM
Built-in SPNs Recognized for Computer Accounts Alex_Raj 05/30/2006 08:31:52 PM
SPN's role in delegation chain Alex_Raj 05/30/2006 08:35:02 PM
How To Set SPN Alex_Raj 05/31/2006 03:09:40 PM
serviceClass must be in lower case? Alex_Raj 08/07/2006 09:17:12 PM

References:

Next Post: What happens if SPNs are not correctly set? Alex_Raj 05/30/2006 08:23:52 PM
Previous Post: Authentication Methods Alex_Raj 05/17/2006 08:41:16 PM
Next Topic: TGT, Ticket and Token Alex_Raj 05/20/2006 03:37:11 PM
Previous Topic: Authentication Methods Alex_Raj 05/17/2006 08:41:16 PM
Index: by Date
Index: by Topic