|
|
Alex_Raj
member
offline  |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
 |
|
|
| UPN vs SPN |
UPN stands for User Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of
<userID>@<DNS domain name>
UPN is stored in AD user account under attribute userPrincipalName which is a unique within the FOREST security boundary. That's why DNS domain name must be portion of it (except for NT).
SPN stands for Service Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of
<serviceClass>/<host>:<port>/<serviceName>
where
<serviceClass> -- a string identifying the service
<host> -- a NetBIOS or NDS name identifying the machine on which
the service is running.
<port> -- OPTIONAL, port number to which the service is listening
<serviceName> -- OPTIONAL
For example, a LDAP service running on machine myhost.mydomain.com listening to port 2389 takes a AD account with:
dn: cn=myhost,cn=user,dc=mydomain,dc=com
userPrincipalName: myhost@mydomain.com
servicePrincipalName: ldap/myhost.mydomain.com:2389
|
|
|
|
|
|
|
Alex_Raj
member
offline  |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
|
|
|
| What happens if SPNs are not correctly set? |
Service Principal Names (SPNs) are unique identifiers for services running on servers. Every service that will use Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, then clients will have no way of locating that service. Without properly set SPNs, Kerberos authentication is not possible.
If an SPN has not been correctly set and a client attempts to obtain a service ticket, a common result is a KDC_ERR_C_PRINCIPAL_UNKNOWN or a KDC_ERR_S_PRINCIPAL_UNKNOWN error. Furthermore, there are many other errors for which the cause might be a missing or an incorrectly set SPN.
|
|
|
|
|
|
|
Alex_Raj
member
offline |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
|
|
|
| What happens if SPNs are not EVER set? |
Chances are your service is a well-known service, like HTTP, TIME, and you need not to specifically register your service. Otherwise, KDC_ERR_C_PRINCIPAL_UNKNOWN or a KDC_ERR_S_PRINCIPAL_UNKNOWN error.
|
|
|
|
|
|
|
Alex_Raj
member
offline |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
|
|
|
| Built-in SPNs Recognized for Computer Accounts |
The built-in SPNs that are recognized for computer accounts are listed below. These SPNs are recognized for computer accounts if the computer has a HOST SPN. Unless they are explicitly placed on objects, a HOST SPN can substitute for any of the listed SPNs.
alerter appmgmt browser cifs cisvc clipsrv dcom dhcp
dmserver dns dnscache eventlog eventsystem fax
http ias iisad min messenger msiserver mcsvc netdde
netddedsm netlogon netman nmagent oakley plugplay
policyagent protectedstorage rasman remoteaccess replicator
rpc rpclocator rpcss rsvp samss scardsvr scesrv schedule
scm seclogon snmp spooler tapisrv time trksvr trkwks
ups w3svc wins www
|
|
|
|
|
|
|
Alex_Raj
member
offline |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
|
|
|
| SPN's role in delegation chain |
An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that services SPN to differentiate it from all of the other services running on that computer.
SPNs are critical to constrained delegation. When you set up a domain computer or user account for delegation, one step of the process is to list the SPNs of services on other computers that the computer is allowed to delegate to. This list forms a type of ACL. The services running on the other computers are identified by the SPNs that are issued to those services.
Multiple services can run simultaneously under the same account. Therefore, for each SPN that is set, you need these four unique pieces of information:
The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.
The account under which the service is running.
The computer on which the service is running, including any aliases that point to that computer.
The port on which the service is running.
These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
An SPN itself consists of three pieces of information, ServiceClass/Host:Port, where:
ServiceClass is the service class of the SPN.
Host is the name of the computer to which the SPN belongs.
Port is the port that the service the SPN is registered to runs on.
|
|
|
|
|
|
|
Alex_Raj
member
offline |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
|
|
|
| How To Set SPN |
The Setspn utility sets SPNs. Because SPNs are security-sensitive, you can only set SPNs for user objects if you have domain administrator privileges.
Setspn
To add an SPN, you can type the following at a command prompt:
setspn A ServiceClass/Host:Port
To delete an SPN, you can type the following at a command prompt:
setspn D ServiceClass/Host:Port
To view the SPNs that are registered for an account, you can type the following at a command prompt:
To reset the default SPN registrations for the host names for an account, you can type the following at a command prompt:
The following section discusses the parameters listed above.
ServiceClass. There are many different types of SPNs, and each service that is running on a computer should have the appropriate SPN service class assigned to it. If an application is written to take advantage of Kerberos authentication and delegation, it has the specific type of SPN that it needs to access pre-determined.
For example, when Internet Explorer versions 5.5 and later use the Kerberos protocol to authenticate to a Web service, the application looks for the HTTP SPN. On the other hand, a SQL Server client looks for the MSSQLSvc/ SPN. If the wrong service class is used on an SPN, then the SPN will not be located when a service searches for it.
Host. The computer to which the SPN belongs is all the names by which a computer on which the service is running can be referenced. This usually includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases that might have been assigned to this computer. A separate SPN will need to be set for each name by which the computer can be referenced, with the Host parameter changing respectively.
Port. The port that the service is running on. If this is a default port for that service (such as 80 for HTTP), then it can be omitted. However, it is recommended the port be included regardless of what service is running.
AccountName. The name of the domain account under which the service runs. If the service runs as Local System or the network service, you usually do not need to set an SPN explicitly for the service because most common SPN service classes will automatically be mapped to the HOST/ SPN which is in turn automatically generated for each computer account.
|
|
|
|
|
|
|
Alex_Raj
member
offline |
| |
| posts: |
99 |
| joined: |
05/16/2006 |
| from: |
San Jose, CA |
|
|
|
|
|
| serviceClass must be in lower case? |
According to IBM, <serviceClass> MUST be in lower case. Here is an excerpt from:
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyschemacheck.htm
This name does not comply with the standards that define GSSAPI authentication, which state that the principal name should start with lower case "ldap". As a result, LDAP/mysys.ibm.com@IBM.COM, must be ldap/mysys.ibm.com@IBM.COM in newer i5/OS servers.
Does anyone know which standard?
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 05/18/2006 11:57:36 PM
Edit
Quote
Report
Profile
Reply