SPN Purpose

A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

↑ Return to Top


SPN Format

serviceclass/host:port servicename

serviceclass and host are required, but port and service name are optional. The colon between host and port is only required when a port is present.

See the following table for a description of each element in the command above:

Element

Description

serviceclass A string that identifies the general class of service; for example, "SqlServer". There are well-known service class names, such as "www" for a Web service or "ldap" for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (/) to separate elements, so this character cannot appear in a service class name.
host The name of the computer on which the service is running. This can be a fully-qualified DNS name or a NetBIOS name. Be aware that NetBIOS names are not guaranteed to be unique in a forest, so an SPN that contains a NetBIOS name may not be unique.
port An optional TCP or UDP port number to differentiate between multiple instances of the same service class on a single host computer. Omit this component if the service uses the default port for its service class.
servicename An optional name used in the SPNs of a replicable service to identify the data or services provided by the service or the domain served by the service. This component can have one of the following formats:  
  • The distinguished name or objectGUID of an object in Active Directory Domain Services, such as a service connection point (SCP).
  • The DNS name of the domain for a service that provides a specified service for a domain as a whole.
  • The DNS name of an SRV or MX record.

Examples of SPN registrations:

  • HTTP/www.contoso.com – Any page on the Web site on the default TCP port 80 for www.contoso.com, that is http://www.contoso.com/.
  • HTTP/www.contoso.com:8080 – Any page on the Web site on the non-standard TCP port 8080 for www.contoso.com, that is http://www.contoso.com.
  • HOST/WORKSTATION5 - Any service running on the computer with NetBIOS name WORKSTATION5
  • HOST/SERVER7.contoso.com - Any service running on the computer with hostname SERVER7.contoso.com
  • TERMSRV/FRONTRM.contoso.com - The Remote Desktop Protocol (RDP) service running on the computer with hostname FRONTRM.contoso.com 
  • MSSQLSvc/SQLSERVER2.fabrikam.com:1433 – The SQL Server listening on SQLSERVER2.fabrikam.com, port 1433.
  • cifs/KHWIN7.fabrikam.com – The file share on the computer with hostname KHWIN7.fabrikam.com

Notes

  • You only need to specify a port when a non-default port is used for the service. See Port Numbers for a list of assigned port numbers.
  • The NetLogon service registers the default SPNs for the base operating system and refreshes those every 22 minutes after operating system startup.

↑ Return to Top


SetSPN

SetSPN is the application used to manage SPNs for Windows computers. With SetSPN, you can, view, edit, and delete SPN registrations. The command syntax follows:

 Setspn serviceclass/host:portnumber servicename

For example, to register the FIMService on the standard port (meaning you don't have to specify the port number) on a computer named FIMSVR in a domain named contoso.com that is using a service account named FIMService, use the following command:

setspn -s FIMService/FIMSVR.contoso.com CONTOSO\FIMService

The switch -s adds the SPN after verifying that there are no duplicates. To see a list of the SetSPN switches, you can run the command setspn /?

To register the http service on the standard port on a computer named CES1 in the corp.contoso.com domain using a service account named CES, use the following command:

setspn -s http/CES1.corp.contoso.com CORP\CES

↑ Return to Top


Viewing or Checking SPN Registrations

To check the SPNs that are registered for a specific computer using that computer, you can run the following commands from a command prompt:

  • setspn -L hostname - Substitute the actual hostname for the computer for hostname (to see the hostname, type hostname as a command prompt). For example, if you typed hostname at the command prompt and the computer reported the name ContosoDC1, you could then type setspn -L contosoDC1 to see what SPNs are registered for that hostname.
  • setspn -L localhost - This command will check registrations for the account localhost, which is a name indicative of the local computer.  

↑ Return to Top


SPN Registration

The SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service’s SPN to differentiate it from other services running on that computer.

↑ Return to Top


Errors Related to SPN Registration or Configuration

The following error event in the Directory Service log of a domain controller can appear when SPN issues are present:

Event Type Error
Event Source NTDS Replication
Event Category Replication
Event ID 1645
Description The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server.

Additional errors that may be seen related to SPN issues: