Platform SDK: Active Directory, ADSI, and Directory Services |
There are two issues here.
The latter is something that may never happen, but it could. The system provides the Computer Management administrative tool that makes it easy to change a service's logon account. In addition, other applications can use the ChangeServiceConfig function to specify a new logon account for an installed service. By default, you need local administrator privileges to change a service account. If this did happen, it could affect your service in two ways:
So what can you do? One approach is to have the service installation program store the registered SPNs for each service instance in the registry on the host computer. You could use the same registry key under HKEY_LOCAL_MACHINE that you used to store the binding string for the service's SCP. When the service starts up, it calls the QueryServiceConfig function to determine it's logon account and then queries Active Directory to determine whether the SPNs are registered on the directory object for that account. If the SPNs are not registered, or are registered on the wrong account, the service refuses to start and displays a message saying that a domain administrator must run the service's configuration program to update the logon account settings. Note that this reconfiguration needs to be done by an administrator because the service account should not have access to update its own SPN. Also note that SPNs must be removed from the old account, otherwise the SPNs will be useless for authentication because they aren't unique in the forest.