How a Service Composes its SPNs

There are two functions a service can use to compose its SPNs: DsGetSpn is a general-purpose function for composing SPNs and DsServerRegisterSpn is a specialized function for composing and registering simple SPNs for a host-based service.

A service installation program typically uses the DsGetSpn function to compose SPNs, which it then registers on the service's logon account using the DsWriteAccountSpn function. DsGetSpn can do any of the following:

• Create a simple SPN with the ServiceClass/Host format for a host-based service.
• Create a complex SPN that includes the ServiceName component used by replicable services or the Port component that distinguishes multiple instances of a service on a single host.
• Create a single SPN with the Host component set to either the name of a specified host or the name of the local computer by default.
• Create an array of SPNs for multiple service instances that will run on multiple hosts throughout the forest. Each SPN specifies the name of the host for a service instance.
• Create an array of SPNs for multiple service instances that will run on the same host. Each SPN specifies the name of the host and a port number for a service instance.

The array of names returned by DsGetSpn must be freed by calling the DsFreeSpnArray function.

Note that the DsGetSpn, DsWriteAccountSpn, and DsServerRegisterSpn functions do not check SPNs to ensure that they are unique. Because mutual authentication fails if a client presents an SPN that is not unique, you should check for uniqueness before registering an SPN. To do this, search the global catalog (GC) for servicePrincipalName attributes that match your SPN. For information about searching the GC, see Searching Global Catalog Contents.