• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 589
  • Last Modified:

Service Principal Name vs service account

I have been reading to understande the windows Service Principal Name, but it sounds to me the same as  windows service account.
any expert to clear this up?

thanks
0
jskfan
Asked:
jskfan
  • 3
  • 3
  • 2
5 Solutions
 
ashunnagCommented:
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

But service account, is the domain/computer account used by a service to work. the service will authenticate and have permissions based on the account it is using.
0
 
jskfanAuthor Commented:
can you giv eme an example where you installl multiple intances of a service?
0
 
ashunnagCommented:
this is an example for print service SPN (from Microsoft site):

The service principal name for the print service for the NTDOM group in building 26 at Reskit, whose distinguished name is "cn=bldg26,dc=ntdom,dc=reskit,dc=com", which is running on nonstandard port number 1234 on host "prt1.ntdom.reskit.com", is as follows:

print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ashunnagCommented:
0
 
simonlimonCommented:
SPN are related to Kerberos and are used for Kerberos resolution. And are not as same Windows Services. However a Windows Service account, or any Domain account,  can have more than one SPN. You must also not assign duplicate SPN names i.e. not to have multiple Windows Accounts with the same SPN.  

http://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate. For more information, see How Clients Compose a Service's SPN.

For Example when you use Kerberos Constrained delegation, like in an web publishing scenario using ISA or TMG Server.

You publish a web server on the ISA/TMG, the published Web Server runs under the Network Service Account, which for AD purposes is the Computer Account of the Webserver. This webserver.domain.com has the SPN http/webserver.domain.com registered.

The ISA/TMG service on the ISA Server runs under Local System, which again for AD purposes is the Computer account.

When you publish Webserver.domain.com you use credential delegation using Kerberos Constrained delegation and you specify the SPN for which service you will delegate credentials and enter the http/webserver.domain.com

In AD you have to allow the ISA/TMG computer delegation to http/webserver.domain.com

In real life this means that the user authenticates on the TMG server, and credentials are then seamlessly passed on to the backend server, without the need for authentication.

Hope this explains it a bit.



0
 
jskfanAuthor Commented:
thanks simonlimon:

I would like to know if SPN, is something at any given time we can check and see in Active directory or wherever it is supposed to be ?
for instance AD account can be seen in AD console, a Service name can be seen in Services console, what about the SPN?

0
 
simonlimonCommented:
To get which account has a specific SPN, sue this:

http://technet.microsoft.com/en-us/library/ee176972.aspx

To get which SPNs are set to an account use this:
http://technet.microsoft.com/en-us/library/cc755442(WS.10).aspx
0
 
jskfanAuthor Commented:
thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now