Kerberos - Adding a SPN to a Domain User

active-directory service kerberos integrated-authentication spn

An AD user account will have a Service Principal Name only if it is used to run a service. As such, most AD user accounts will not have any Service Principal Names. The most common example of times when an AD user account will have SPNs is if that user account is used as a service account to run MS SQL, IIS, etc. If an AD user account is used to operate a service, but no SPN is registered in AD, then that service cannot use Kerberos.

In contrast, AD user accounts will always have a User Principal Name.

Service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.


You should read the MSDN documentation if you're not even sure which problems SPNs solve. It is thorough and complete.

Related

How to fix sudoers file on virtual machine without root and reboot
syntax error: unknown user 'munin' in statoverride file
Is a subdomain with both A records and NS records valid?
What's the best method to monitor an OpenVPN server?
expand hostnames to fqdn before calling ssh?
Can a 7200RPM drive transfer speed at a full 6 Gbit/s?
Adding Single Line to File with SaltStack
Varnish 503 error after exactly 60 seconds... how to change this timeout value?
RAM is being under reported in Windows Task Manager?
tcpdump Server Hello Certificate Filter
Use nginx reverse proxy for redirection
Techniques to implement iptables rules