A. Put simply, an SPN mapping allows a service on a particular server to be associated with an account responsible for the management of the service, thereby permitting mutual Kerberos authentication. To use mutual Kerberos authentication, the Windows security layer must be able to determine the account that a service is using.

With an SPN map defined in Active Directory (AD), the Windows account responsible for the service can be ascertained and used for Kerberos authentication. This mapping is necessary because many clients will compose an SPN based on the hostname and port the client is connecting to. Many services register SPNs for this reason; for example, Microsoft SQL Server registers an SPN if TCP/IP is enabled to facilitate Kerberos authentication, thereby avoiding the use of NTLM.

See also: Learning About the servicePrincipalName Attribute and How do I retrieve Service Principal Names from the Active Directory?