Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Service Principal Name vs service account

Posted on 2011-03-15
8
Medium Priority
?
583 Views
Last Modified: 2012-06-22
I have been reading to understande the windows Service Principal Name, but it sounds to me the same as  windows service account.
any expert to clear this up?

thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Accepted Solution

by:
ashunnag earned 1200 total points
ID: 35135716
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

But service account, is the domain/computer account used by a service to work. the service will authenticate and have permissions based on the account it is using.
0
 

Author Comment

by:jskfan
ID: 35135727
can you giv eme an example where you installl multiple intances of a service?
0
 
LVL 6

Assisted Solution

by:ashunnag
ashunnag earned 1200 total points
ID: 35135741
this is an example for print service SPN (from Microsoft site):

The service principal name for the print service for the NTDOM group in building 26 at Reskit, whose distinguished name is "cn=bldg26,dc=ntdom,dc=reskit,dc=com", which is running on nonstandard port number 1234 on host "prt1.ntdom.reskit.com", is as follows:

print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 6

Assisted Solution

by:ashunnag
ashunnag earned 1200 total points
ID: 35135743
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 800 total points
ID: 35146104
SPN are related to Kerberos and are used for Kerberos resolution. And are not as same Windows Services. However a Windows Service account, or any Domain account,  can have more than one SPN. You must also not assign duplicate SPN names i.e. not to have multiple Windows Accounts with the same SPN.  

http://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate. For more information, see How Clients Compose a Service's SPN.

For Example when you use Kerberos Constrained delegation, like in an web publishing scenario using ISA or TMG Server.

You publish a web server on the ISA/TMG, the published Web Server runs under the Network Service Account, which for AD purposes is the Computer Account of the Webserver. This webserver.domain.com has the SPN http/webserver.domain.com registered.

The ISA/TMG service on the ISA Server runs under Local System, which again for AD purposes is the Computer account.

When you publish Webserver.domain.com you use credential delegation using Kerberos Constrained delegation and you specify the SPN for which service you will delegate credentials and enter the http/webserver.domain.com

In AD you have to allow the ISA/TMG computer delegation to http/webserver.domain.com

In real life this means that the user authenticates on the TMG server, and credentials are then seamlessly passed on to the backend server, without the need for authentication.

Hope this explains it a bit.



0
 

Author Comment

by:jskfan
ID: 35187119
thanks simonlimon:

I would like to know if SPN, is something at any given time we can check and see in Active directory or wherever it is supposed to be ?
for instance AD account can be seen in AD console, a Service name can be seen in Services console, what about the SPN?

0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 800 total points
ID: 35187718
To get which account has a specific SPN, sue this:

http://technet.microsoft.com/en-us/library/ee176972.aspx

To get which SPNs are set to an account use this:
http://technet.microsoft.com/en-us/library/cc755442(WS.10).aspx
0
 

Author Closing Comment

by:jskfan
ID: 35330306
thanks
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question