Archive: April, 2012

Where should I register the SPN?

No comments April 21st, 2012

For proper Kerberos authentication to take place, the Service Principal Names (SPNs) have to be registered correctly on the correct account.

SPNs are AD attributes that uniquely identifies an instance of a service for a given target host.

If you have a SQL server where the SQL service run under the Network Service or Local System account, the SPN for SQL should be registered on the machine account. If you have set the service to run under a service account (a domain user account), the SPN should be registered on the domain user.

SPNs registered on a machine account will be registered automatically, but if you use a user account you’ll have to register the SPN manually. You can use the setspn.exe tool, or use adsiedit.msc.

You can only register the unique SPN on one account. If you have duplicate SPNs in the forest, Kerberos authentication will fail.

If you have an IIS server (version 6 or prior) the Service class (http) should be registered on the application pool Identity the site is using. This is not the case if you have IIS 7/7.5. By default IIS 7 has enabled “Kernel-Mode authentication”.  The Kerberos Service ticket is then encrypted with the Machine account password no matter what account is set to run the application pool.