Solved

Service Principal Name vs service account

Posted on 2011-03-15
8
566 Views
Last Modified: 2012-06-22
I have been reading to understande the windows Service Principal Name, but it sounds to me the same as  windows service account.
any expert to clear this up?

thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Accepted Solution

by:
ashunnag earned 300 total points
ID: 35135716
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

But service account, is the domain/computer account used by a service to work. the service will authenticate and have permissions based on the account it is using.
0
 

Author Comment

by:jskfan
ID: 35135727
can you giv eme an example where you installl multiple intances of a service?
0
 
LVL 6

Assisted Solution

by:ashunnag
ashunnag earned 300 total points
ID: 35135741
this is an example for print service SPN (from Microsoft site):

The service principal name for the print service for the NTDOM group in building 26 at Reskit, whose distinguished name is "cn=bldg26,dc=ntdom,dc=reskit,dc=com", which is running on nonstandard port number 1234 on host "prt1.ntdom.reskit.com", is as follows:

print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 6

Assisted Solution

by:ashunnag
ashunnag earned 300 total points
ID: 35135743
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 200 total points
ID: 35146104
SPN are related to Kerberos and are used for Kerberos resolution. And are not as same Windows Services. However a Windows Service account, or any Domain account,  can have more than one SPN. You must also not assign duplicate SPN names i.e. not to have multiple Windows Accounts with the same SPN.  

http://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate. For more information, see How Clients Compose a Service's SPN.

For Example when you use Kerberos Constrained delegation, like in an web publishing scenario using ISA or TMG Server.

You publish a web server on the ISA/TMG, the published Web Server runs under the Network Service Account, which for AD purposes is the Computer Account of the Webserver. This webserver.domain.com has the SPN http/webserver.domain.com registered.

The ISA/TMG service on the ISA Server runs under Local System, which again for AD purposes is the Computer account.

When you publish Webserver.domain.com you use credential delegation using Kerberos Constrained delegation and you specify the SPN for which service you will delegate credentials and enter the http/webserver.domain.com

In AD you have to allow the ISA/TMG computer delegation to http/webserver.domain.com

In real life this means that the user authenticates on the TMG server, and credentials are then seamlessly passed on to the backend server, without the need for authentication.

Hope this explains it a bit.



0
 

Author Comment

by:jskfan
ID: 35187119
thanks simonlimon:

I would like to know if SPN, is something at any given time we can check and see in Active directory or wherever it is supposed to be ?
for instance AD account can be seen in AD console, a Service name can be seen in Services console, what about the SPN?

0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 200 total points
ID: 35187718
To get which account has a specific SPN, sue this:

http://technet.microsoft.com/en-us/library/ee176972.aspx

To get which SPNs are set to an account use this:
http://technet.microsoft.com/en-us/library/cc755442(WS.10).aspx
0
 

Author Closing Comment

by:jskfan
ID: 35330306
thanks
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question