Trying to get people at work to clean up duplicate SPNs, and came across some links while reading about this topic.
From the official MSDN article: A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
Basically when a client application tries to authenticate with a service instance and the domain controller needs to issues it Kerberos tickets, the domain controller needs to know whose password to use for the service instance – is it that of the server where this instance runs, or any service account responsible for it. This mapping of service -> service account/ computer account is an SPN. It’s of the format service/host:port and is associated with the AD account of the service account or computer account (stored in the servicePrincipalName
attribute actually).
- https://blogs.msdn.microsoft.com/chiranth/2013/09/20/all-about-kerberos-the-three-headed-dog-with-respect-to-iis-and-sql/ – a good intro to Kerberos and SPNs
- https://blogs.technet.microsoft.com/tristank/2006/05/08/3-simple-rules-to-kerberos-authenticationdelegation-spns/ – nothing special, but a good post to read
- https://blogs.technet.microsoft.com/askds/2008/11/25/fun-with-the-kerberos-delegation-web-site/ – very informative post on configuring SPNs for IIS and SQL
- https://blogs.msdn.microsoft.com/autz_auth_stuff/2011/04/28/what-is-a-spn-and-why-should-you-care/ – a brief post that kind of ended abruptly, but has some good points. Even if you don’t open this blog post, remember the following:
- An SPN is nothing more fancy than an alias (or pointer) for a domain account, e.g. HTTP/HRWeb is an alias for the domain account MyDomain\HRWebAct.
- You can have more than one SPN pointing to the same same domain account.
- https://blogs.msdn.microsoft.com/sqlupdates/2014/12/05/sql-server-kerberos-and-spn-quick-reference/ – a great reference, especially the latter sections where they talk about the flow during Kerberos authentication. Must read.
- https://blogs.msdn.microsoft.com/sqlupdates/2015/06/23/duplicate-spn-what-is-it-really/ – what to do in case of duplicate SPNs
That’s all!