Every SSP that is created in a farm is represented to the world by a virtual directory configured beneath the Office Server Web Services web application that's configured on every node within a SharePoint farm.
The Office Server Web Services web application is associated to the OfficeServerApplicationPool. If you popped open IIS Manager, you'd probably note that the OfficeServerApplicationPool executes under the NETWORK SERVICE account. Each SSP in the farm will be represented by a virtual directory configured beneath this web application; the virtual directory is named with the name of the SSP, so if your farm runs an SSP named SharedServices1, looking underneath the Office Server Web Services web application would reveal a virtual directory named SharedServices1, associated to an application pool with the same name. That application pool runs under the identity of the SSP service account it executes for.
The Office Server Web Services web application is bound to port 56737 and 56738. Sound familiar? You configured a half dozen custom-format SPNs (two for each member of your farm) on your SSP service account when you configured your farm for Kerberos authentication. Right?