Service Principle Names (SPN)
Service Principal Names (SPNs) in Microsoft Windows are unique identifiers assigned to each service instance on a network. They are used in Kerberos authentication to associate a service instance with a service logon account. This association is crucial for Kerberos to correctly authenticate clients accessing network services.
An SPN uniquely identifies a service instance in a domain, ensuring that Kerberos authentication can uniquely target that service when a client requests access. SPNs have a specific format, usually as serviceType/host:port/serviceName
. For example, a typical SPN for a web service might be HTTP/webserver.domain.com
.
When a client wants to access a service in a Windows network, it requests a Kerberos Tickets|Kerberos ticket for the SPN of that service. The Domain Controller then uses the SPN to find the service's account in the Active Directory and issue an appropriate ticket.
Imagine a SQL Server named sqlserver1
in the domain company.com
running under the service account SQLService
. The SPN for this SQL Server might look like:
MSSQLSvc/sqlserver1.company.com:1433
This SPN includes:
- The service type:
MSSQLSvc
- The host:
sqlserver1.company.com
- The port:
1433
(the default port for SQL Server)
Info
When a client application tries to connect to this SQL Server instance using Windows Authentication, the Kerberos protocol uses this SPN to authenticate and securely negotiate the connection.