I've heard about a new Windows 2000 security concept called Service Principal Name (SPN). I've noticed that SPNs are usually linked to computer accounts in Active Directory (AD). What's an SPN and what's it used for? Also, what tools can I use to retrieve a list of SPNs linked to a particular computer account in AD, and how can I use these tools to delete or add SPNs to a computer’s SPN list?

An SPN is a unique identifier for the security identity that a Win2K or later service uses. Like any other piece of code executing on a Win2K machine, a Windows service must always run in the security context of a particular security identity. Microsoft introduced SPNs in Win2K to uniquely identify a service during the Kerberos authentication sequence. When a user sends a Kerberos ticket request for a particular service to the Win2K Kerberos Key Distribution Center (KDC), the request uses the SPN to specify the service the user wants to connect to. The ticket that the KDC generates also specifies the SPN. The user can use the ticket to authenticate only to the service identified by that particular SPN.

An SPN is similar in concept to a user principal name (UPN), which is the unique identifier for a user in a Windows forest—both a UPN and an SPN must be unique in a Windows forest. An SPN is stored in a security principal’s AD object in the ServicePrincipalName attribute. Because many Windows services run in the security context of a machine account, you often find SPNs in the ServicePrincipalName attribute of a machine’s AD object.

Three Microsoft Windows 2000 Resource Kit tools—ADSI Edit, Directory Services Store (Dsstore), and Setspn—let you look at SPNs associated with a particular machine account. ADSI Edit is a Microsoft Management Console (MMC)–based tool, and Dsstore and Setspn are command-line tools. ADSI Edit and Dsstore are two generic tools that let you retrieve all kinds of AD information, and Setspn is a specific tool that lets you retrieve only SPN information. Unlike Dsstore, you can use Setspn and ADSI Edit to add or delete SPNs.

To use Dsstore to retrieve SPNs for computer sqlserver2 in domain emea, go to the command line and type

dsstore -macobj emea\sqlserver2$

To use Setspn to list all SPNs linked to a machine called webserver1, go to the command line and type

setspn –L  webserver1

To add an SPN, use Setspn with the -A switch. Likewise, to delete an SPN, use the -D switch. To enable the user of a Win2K service to construct the service’s SPN without knowing it, SPNs have the following fixed format:

<ServiceClass>/<Host>
:<Port>/<ServiceName>

where

  • <ServiceClass> is a string that identifies the service. Examples are "www" for a Web service and "ldap" for a directory service.
  • <Host> is the NetBIOS or DNS name of the computer on which the service is running.
  • <Port> is an optional parameter for the service port number. This parameter lets you differentiate between multiple instances of the same service running on the same machine but using different TCP/IP port numbers.
  • <ServiceName> is an optional parameter that identifies the data or services that a service provides or to identify the domain a service serves.

For example, an SPN identifying the AD Lightweight Directory Access Protocol (LDAP) service of a domain controller (DC) called DC1 in the sales.hewlettpackard.net domain would appear as

Ldap/DC1.sales.hewlettpackard.net/SALES