Platform SDK: Active Directory, ADSI, and Directory Services

How Clients Compose a Service's SPN

To authenticate a service, a client application composes an SPN for the service instance to which it wants to connect. The client application can use the DsMakeSpn function to compose an SPN. The client specifies the components of the SPN using known information or information retrieved from sources other than the service itself.

The form of an SPN is as shown, where ServiceClass and Host are required, Port and ServiceName optional.

ServiceClass/Host:Port/ServiceName

Typically, the client "knows" the ServiceClass part of the name, and knows which of the optional components to include in the SPN. The client can retrieve components of the SPN from sources such as a service connection point (SCP) or user input. For example, the client can read the serviceDNSName attribute of a service's SCP to get the Host component. The serviceDNSName attribute contains either the DNS name of the server on which the service instance is running or the DNS name of SRV records containing the host information for service replicas. The ServiceName component, used only for replicable services, can be the distinguished name of the service's SCP, the DNS name of the domain served by the service, or the DNS name of SRV or MX records.

For sample code that a client program uses to compose an SPN for a service, see How a Client Authenticates an SCP-based Windows Sockets Service.

For a description of the SPN components, see Name Formats for Unique SPNs.