What is a Service Principal Name (SPN) mapping?

John Savill

May 20, 2007

1 Min Read
ITPro Today logo

A. Put simply, an SPN mapping allows a service on a particular server to be associated with an account responsible for the management of the service, thereby permitting mutual Kerberos authentication. To use mutual Kerberos authentication, the Windows security layer must be able to determine the account that a service is using.

With an SPN map defined in Active Directory (AD), the Windows account responsible for the service can be ascertained and used for Kerberos authentication. This mapping is necessary because many clients will compose an SPN based on the hostname and port the client is connecting to. Many services register SPNs for this reason; for example, Microsoft SQL Server registers an SPN if TCP/IP is enabled to facilitate Kerberos authentication, thereby avoiding the use of NTLM.

See also: Learning About the servicePrincipalName Attribute and How do I retrieve Service Principal Names from the Active Directory?

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like