I remember the first time I saw the acronym SPN when I were introduced to WCF some years ago.
After reading the article in MSDN I didn’t feel better. What is a ServicePrincipalName?
The way I usually think now (and I apologize for you that don’t know the DNS lingo) is that it is conceptually the same as a CNAME record.
A SPN is nothing more fancy than an alias (or pointer) for a domain account, e.g.
HTTP/HRWeb is an alias for the domain account MyDomain\HRWebAct
You can have more than one SPN pointing to the same domain account:
HTTP/HRWeb2 is also an alias for the domain account MyDomain\HRWebAct
In fact, the SPN: “HTTP/HRWeb“ is an entry in the attribute servicePrincipalName for the account HRWebAct in the Windows Active Directory Domain MyDomain.com §
The next obviously question would be: why do you need an alias?
The answer to that is a bit longer, and this is the beginning of the journey into the mystery of Kerberos.
Let me start with a little quiz that illustrates the complexity of Kerberos and the reason why people shy away from using Kerberos. The quiz is based on a real customer experience but sanitized to protect the customer identity.
(The following could also be a question in a certification test in Windows and Kerberos).
- You have a Windows Server 2008 R2 server called MyWebServer that is member of the Active Directory domain MyDomain.com
- The Active Directory is configured on Windows Server 2003 server using the default options during installation.
- On the web server you have several web sites including an HR Application: HRWeb
- You prefer that your users is navigating to the application using a simple url like http://HRWeb
- The HRWeb application need to connect to a SQL Server 2008 R2 database using “Integrated Security=SSPI” in the connection string
- Only authorized people may use the HRWeb application
- You want to manage permission on the database
Then (as usual for this kind of certification test) a list of what you are doing to solve this requirement:
- Create a DNS Alias for HRWeb that refer to MyWebServer.MyDomain.com
- Configure binding for the site with hostname HRWeb and port 80
- Create an application pool with the identity of a domain account MyDomain\HRWebAct
- Configure the web site to use impersonation
- Create a SPN using the command line to setspn.exe with the following parameters: HTTP/HRWeb MyDomain\HRWebAct
- Grant users the appopriate permissions on the SQL Server to access the HRWeb database
Will this list of action satisfy the requirement? [Yes / No ]
I will supply the answer and explanations to the question in my next post. Feel free to comment with your answer and explanation.
§ I am very well aware that you can use Kerberos in other environment that Windows. I may come back to that topic another day.