What is a SPN and why should you care?

  • Article

I remember the first time I saw the acronym SPN when I were introduced to WCF some years ago.

After reading the article in MSDN I didn't feel better. What is a ServicePrincipalName?

The way I usually think now (and I apologize for you that don't know the DNS lingo) is that it is conceptually the same as a CNAME record.

A SPN is nothing more fancy than an alias (or pointer) for a domain account, e.g.

HTTP/HRWeb is an alias for the domain account  MyDomain\HRWebAct

You can have more than one SPN pointing to the same domain account:

HTTP/HRWeb2 is also an alias for the domain account MyDomain\HRWebAct

In fact, the SPN: "HTTP/HRWeb "  is an entry in the attribute servicePrincipalName for the account HRWebAct in the Windows Active Directory Domain MyDomain.com §

The next obviously question would be: why do you need an alias?

The answer to that is a bit longer, and this is the beginning of the journey into the mystery of Kerberos.

Let me start with a little quiz that illustrates the complexity of Kerberos and the reason why people shy away from using Kerberos. The quiz is based on a real customer experience but sanitized to protect the customer identity.

 (The following could also be a question in a certification test in Windows and Kerberos).

  • You have a Windows Server 2008 R2 server called MyWebServer that is member of the Active Directory domain MyDomain.com
  • The Active Directory is configured on Windows Server 2003 server using the default options during installation.
  • On the web server you have several web sites including an HR Application: HRWeb
  • You prefer that your users is navigating to the application using a simple url like https://HRWeb 
  • The HRWeb application need to connect to a SQL Server 2008 R2 database using "Integrated Security= SSPI" in the connection string
  • Only authorized people may use the HRWeb application
  • You want to manage permission on the database

Then (as usual for this kind of certification test) a list of what you are doing to solve this requirement:

  • Create a DNS Alias for HRWeb that refer to MyWebServer.MyDomain.com
  • Configure binding for the site with hostname HRWeb and port 80
  • Create an application pool with the identity of a domain account MyDomain\HRWebAct
  • Configure the web site to use impersonation
  • Create a SPN using the command line to setspn.exe with the following parameters: HTTP/HRWeb MyDomain\HRWebAct
  • Grant users the appopriate permissions on the SQL Server to access the HRWeb database

Will this list of action satisfy the requirement? [Yes / No ] 

I will supply the answer and explanations to the question in my next post. Feel free to comment with your answer and explanation.

§ I am very well aware that you can use Kerberos in other environment that Windows. I may come back to that topic another day.