Service Publication in Active Directory

Previous Topic Next Topic

Service Principal Names

Service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.

For information about registering service principal names in Active Directory at service installation, see the MSDN link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

Service Principal Names Syntax

A service uses the following elements to compose a service principal name.

The basic syntax of service principal name is as follows:

<service type>/<instance name>:<port number>/<service name>

where the elements of the syntax have the following meanings:

If service name and instance name are the same, as they are for most host-based services, then a service principal name can be abbreviated to two components:

For more information about GSS and SSPI, see "Authentication" in this book.

Creating the Service Principal Name

A client creates the service principal name for a service. A service principal name can be one of the following: the DNS name of a domain, the DNS name of a host, or the distinguished name of a service connection point object. The SPN is the same for any method of authentication. When using Kerberos to authenticate itself to a server, the client requests a session ticket for the service principal name; when using certificate-based authentication, the SPN is validated against the contents of the "SubjectName" field of the certificate of the server.

Host-Based Service Named in DNS

A host-based service is a service that is identified by the name of the host on which the service runs. In such cases, the service principal name is of the service is as follows:

<service type>/<host name>:<port number>

Or, if the service is using the default port for the service type specified by service type, then the SPN can be abbreviated to the following:

<service type>/<host name>

Services Named in the Directory Service

The service principal name for services named in the directory service has the following syntax:

<service type>/<host name>:<port number>/<distinguished name>

where the elements of the syntax have the following meanings:

For example, the service principal name for the print service for the NTDOM group in building 26 at Reskit, whose distinguished name is "cn=bldg26,dc=ntdom,dc=reskit,dc=com", which is running on nonstandard port number 1234 on host "prt1.ntdom.reskit.com", is as follows:

print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com

For more information about service principal names, see the MSDN link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

© 1985-2000 Microsoft Corporation. All rights reserved.