SPN generation for multiple service account on a Web server

Question

I am trying to achieve Azure SSO in my organisation. I have a web server hosting multiple websites and web application under those sites. Users access them in below fashion

https:// < SiteName > / < ApplicationName > /

We have a service account configured for different application, means I have multiple service account for a single "WebSite" and same service account being used for different applications.

Now to achieve Azure SSO, I must configure SPNs for my service accounts, and as per microsoft same spn cannot be assigned to multiple service account.

to configure spn we have below command

Setspn –S HTTP/NETBIOS_NAME_OF_IIS_SERVER domain\username
Setspn –S HTTP/FQDN_OF_IIS_SERVER domain\username

How can I assign same FQDN/NetBIOS name to all service account ?

Even if I use DNS name for my web Sites still I have to assign same spn to multiple service account.

score 3 · Accepted Answer · answered Mar 15 '18 at 10:52

3

Yes, this is a fundamental issue with SPN's, you can't have more than one SPN for a URL on a single server. So in your situation where you different apps run under a single website and you need to use delegation or SSO, then they all have to run with the same service account, so you can register a single SPN for that URL.

If that is not possible you either need to host your apps with different service accounts on the same server under a different URL (assuming you setup the SPN for the URL), or different server if you are limited to using server names

answered Mar 15 '18 at 10:52

Sam Cogan

38,736
6
78
114

Hmm , yeah i also think same but , let see what others have to say about this.. – Dheeraj Kumar Mar 16 '18 at 06:02
Can we add application path in SPN like "https / / < ApplicationName > /" ? – Dheeraj Kumar Mar 16 '18 at 07:14
No you cannot do that – Sam Cogan Mar 16 '18 at 07:14

SPN generation for multiple service account on a Web server

1 Answers1