go to  ForumEasy.com   
JavaPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Authentication, Kerberos, Active Directory » UPN vs SPN
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: UPN vs SPN
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 05/18/2006 11:57:36 PM    Edit  |   Quote  |   Report 
UPN vs SPN
UPN stands for User Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of
   <userID>@<DNS domain name>  

UPN is stored in AD user account under attribute userPrincipalName which is a unique within the FOREST security boundary. That's why DNS domain name must be portion of it (except for NT).

SPN stands for Service Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of
   <serviceClass>/<host>:<port>/<serviceName>  

where

  <serviceClass> -- a string identifying the service
  <host>         -- a NetBIOS or NDS name identifying the machine on which 
                    the service is running.
  <port>         -- OPTIONAL, port number to which the service is listening
  <serviceName>  -- OPTIONAL


For example, a LDAP service running on machine myhost.mydomain.com listening to port 2389 takes a AD account with:

dn: cn=myhost,cn=user,dc=mydomain,dc=com
userPrincipalName: myhost@mydomain.com
servicePrincipalName: ldap/myhost.mydomain.com:2389

 Profile | Reply Points Earned: 0
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 05/30/2006 08:23:52 PM    Edit  |   Quote  |   Report 
What happens if SPNs are not correctly set?
Service Principal Names (SPNs) are unique identifiers for services running on servers. Every service that will use Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, then clients will have no way of locating that service. Without properly set SPNs, Kerberos authentication is not possible.

If an SPN has not been correctly set and a client attempts to obtain a service ticket, a common result is a KDC_ERR_C_PRINCIPAL_UNKNOWN or a KDC_ERR_S_PRINCIPAL_UNKNOWN error. Furthermore, there are many other errors for which the cause might be a missing or an incorrectly set SPN.
 Profile | Reply Points Earned: 0
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 05/30/2006 08:30:02 PM    Edit  |   Quote  |   Report 
What happens if SPNs are not EVER set?
Chances are your service is a well-known service, like HTTP, TIME, and you need not to specifically register your service. Otherwise, KDC_ERR_C_PRINCIPAL_UNKNOWN or a KDC_ERR_S_PRINCIPAL_UNKNOWN error.

 Profile | Reply Points Earned: 0
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 05/30/2006 08:31:52 PM    Edit  |   Quote  |   Report 
Built-in SPNs Recognized for Computer Accounts
The built-in SPNs that are recognized for computer accounts are listed below. These SPNs are recognized for computer accounts if the computer has a HOST SPN. Unless they are explicitly placed on objects, a HOST SPN can substitute for any of the listed SPNs.


alerter appmgmt browser cifs cisvc clipsrv dcom dhcp

dmserver dns dnscache eventlog eventsystem fax

http ias iisad min messenger msiserver mcsvc netdde

netddedsm netlogon netman nmagent oakley plugplay

policyagent protectedstorage rasman remoteaccess replicator

rpc rpclocator rpcss rsvp samss scardsvr scesrv schedule

scm seclogon snmp spooler tapisrv time trksvr trkwks

ups w3svc wins www




 Profile | Reply Points Earned: 0
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 05/30/2006 08:35:02 PM    Edit  |   Quote  |   Report 
SPN's role in delegation chain
An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service’s SPN to differentiate it from all of the other services running on that computer.

SPNs are critical to constrained delegation. When you set up a domain computer or user account for delegation, one step of the process is to list the SPNs of services on other computers that the computer is allowed to delegate to. This list forms a type of ACL. The services running on the other computers are identified by the SPNs that are issued to those services.

Multiple services can run simultaneously under the same account. Therefore, for each SPN that is set, you need these four unique pieces of information:

• The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.

• The account under which the service is running.

• The computer on which the service is running, including any aliases that point to that computer.

• The port on which the service is running.


These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.

An SPN itself consists of three pieces of information, ServiceClass/Host:Port, where:

• ServiceClass is the service class of the SPN.

• Host is the name of the computer to which the SPN belongs.

• Port is the port that the service the SPN is registered to runs on.

 Profile | Reply Points Earned: 0
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 05/31/2006 03:09:40 PM    Edit  |   Quote  |   Report 
How To Set SPN

The Setspn utility sets SPNs. Because SPNs are security-sensitive, you can only set SPNs for user objects if you have domain administrator privileges.


Setspn

• To add an SPN, you can type the following at a command prompt:

setspn –A ServiceClass/Host:Port 


• To delete an SPN, you can type the following at a command prompt:

setspn –D ServiceClass/Host:Port 


• To view the SPNs that are registered for an account, you can type the following at a command prompt:

setspn –L 


• To reset the default SPN registrations for the host names for an account, you can type the following at a command prompt:

setspn –R 



The following section discusses the parameters listed above.

• ServiceClass. There are many different types of SPNs, and each service that is running on a computer should have the appropriate SPN service class assigned to it. If an application is written to take advantage of Kerberos authentication and delegation, it has the specific type of SPN that it needs to access pre-determined.

For example, when Internet Explorer versions 5.5 and later use the Kerberos protocol to authenticate to a Web service, the application looks for the HTTP SPN. On the other hand, a SQL Server client looks for the MSSQLSvc/ SPN. If the wrong service class is used on an SPN, then the SPN will not be located when a service searches for it.

• Host. The computer to which the SPN belongs is all the names by which a computer on which the service is running can be referenced. This usually includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases that might have been assigned to this computer. A separate SPN will need to be set for each name by which the computer can be referenced, with the Host parameter changing respectively.

• Port. The port that the service is running on. If this is a default port for that service (such as 80 for HTTP), then it can be omitted. However, it is recommended the port be included regardless of what service is running.

• AccountName. The name of the domain account under which the service runs. If the service runs as Local System or the network service, you usually do not need to set an SPN explicitly for the service because most common SPN service classes will automatically be mapped to the HOST/ SPN which is in turn automatically generated for each computer account.



 Profile | Reply Points Earned: 0
Alex_Raj
member
offline   
 
posts: 99
joined: 05/16/2006
from: San Jose, CA
  posted on: 08/07/2006 09:17:12 PM    Edit  |   Quote  |   Report 
serviceClass must be in lower case?
According to IBM, <serviceClass> MUST be in lower case. Here is an excerpt from:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyschemacheck.htm


This name does not comply with the standards that define GSSAPI authentication, which state that the principal name should start with lower case "ldap". As a result, LDAP/mysys.ibm.com@IBM.COM, must be ldap/mysys.ibm.com@IBM.COM in newer i5/OS servers.



Does anyone know which standard?

 Profile | Reply Points Earned: 0

 
Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.