Stack Overflow
Stack Overflow

Questions tagged [spn]

A Service Principal Name (SPN) distinguishes a Kerberos-protected service running on an IP host (such as HTTP/foo.bar.com) as a unique entity on a Kerberos-protected network.

A service principal name (SPN) distinguishes a Kerberos-protected service running on an IP host (such as HTTP/foo.bar.com) as a unique entity on a Kerberos-protected network. In the Directory Server, an SPN is used by Kerberos authentication to associate the IP host service instance to a Directory account object. This allows a client application to request that the Kerberized service authenticate an account even if the client does not know the actual account name.

Reference: Service Principal Names (Windows) - MSDN - Microsoft https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

84 questions
1
vote
1 answer

Client with multiple Service SPNs, can client be intentionally limited to certain service? kerberos and / or spnego

I have gotten the Active Directory kerberos and SPNEGO configured correctly but it always confuses me that how service SPN can be set up to allow only certain domain users to access certain services. For example,…
Alison Aftra
  • 63
  • 1
  • 9
1
vote
1 answer

Why an invalid service principal name (SPN) can be created using setspn

Today, I was able to create totally random and invalid SPN using the setspn command, but I dont understand why invalid SPNs are allowed. For example: setspn -s RandomSvc/randomname.random.random valid_user was run successfully for valid_user in my…
Dongminator
  • 795
  • 10
  • 15
1
vote
1 answer

Alternative to SetSPN command in PowerShell

I need to be able to manage SQL Server SPNs in a large estate but using the setspn command is a bit too slow. Is there an alternative to the setspn command that is faster? Perhaps in the ActiveDirectory PowerShell module? Thanks
Luke
  • 776
  • 9
  • 24
1
vote
1 answer

Can you create Kerberos principals where the hostname is flexible? (Docker)

I'm specifically trying to do this with Apache Storm (1.0.2), but it's relevant to any service that is secured with Kerberos. I'm trying to run a secured Storm cluster in Docker. There are a number of out-of-the-box docker images out there for…
Daniel Hannum
  • 105
  • 1
  • 7
1
vote
1 answer

spn command failing due to a period in service account name

we are required to have a .svc in our service accounts i.e aduser.svc the following spn command is failing setspn -a SPNName/aduser.svc.domain.com aduser.svc unknown parameter, please check your usage. Any ideas on how to get around that?
sapaa
  • 11
  • 3
1
vote
1 answer

Kerberos SPN gets cached on Windows Servers?

Been integrating Kerberos authentication in my SSO project. Came across a peculiar scenario. I made a new user and attached an SPN to it. Followed steps on this question and got everything working. By everything I mean :- kinit username - and then…
Nikhil L
  • 175
  • 1
  • 3
  • 16
1
vote
2 answers

How and when does ktpass set the salt?

A user's password and salt determine the Kerberos keys generated by ktpass. I have noticed that ktpass sometimes changes the user's salt, but other times it does not. I was able to discover the salt by capturing a packet trace of a kinit. The salt…
mlowry
  • 161
  • 5
  • 12
1
vote
1 answer

Kerberos authentication issue : Site stops working automatically after some time

There is a website set to run on windows authentication. There are 3 web applications under the site, each on their own application pool, but with the same domain account. ASP.NET impersonation, Use App Pool credentials, Use Kernel mode…
Baskar Lingam Ramachandran
  • 617
  • 9
  • 25
1
vote
1 answer

Understanding Kerberos principals

I am trying to understand Kerberos basic concepts. I read about the principals over here, which typically looks like: primary/instance@REALM I wanted to ask what exactly is a primary, instance and a realm. Of course there are definitions given on…
rgamber
  • 5,749
  • 10
  • 55
  • 99
1
vote
2 answers

SetSPN using powershell to run CMD commands

I am trying to make a script that runs some cmd command to set SPN: something in effect of for each item in my list run setspn -s (name of the spn) domain\service account but I have a hard time running command line as well as i need to be able…
AlwaysWrong
  • 11
  • 3
1
vote
1 answer

ASP.NET Impersonation scenario. IIS 8.5 to SQL 2012, what SPN needs to be setup?

I have read many blogs, and many articles relating to how to have my IIS server pass the authenticated user to SQL. I am stuck however on what exactly I need to set my SPN on and to. Here are my settings... IIS: Application Pool .Net v4.0Integrated…
Travis Peterson
  • 373
  • 3
  • 15
1
vote
0 answers

Windows MSA accounts: can I perform WMI / WinRM commands between two different servers with MSA accounts?

Microsoft allows remote connections to be setup between two Windows servers with MSA (Managed Service Accounts), but seemingly only for a limited range of applications (SQL, IIS, Exchange): Managed Service Accounts (MSA) and SQL 2012: Practical…
user2040162
  • 11
  • 2
1
vote
1 answer

Whether to use an SPN with a Kerberos loginmodule in JAAS

I am building a Kerberos login module with Jaas that will be used by Jconsole. Jconsole will be the client used to access a process with exposed MBeans, the kerberos loginmodule will authenticate the user. The user will log in via Jconsole, and…
Loco234
  • 521
  • 4
  • 20
1
vote
2 answers

Service Ticket in Kerberos - Hadoop security

I am trying to secure my hadoop cluster using kerberos. I am able to generate TGT using kinit command. But beyond that I am stucked up. 1) I would like to know what is meant by 'serviceTicket' in reality. (Not as a description); Using which…
Dinesh Kumar P
  • 1,128
  • 2
  • 18
  • 32
1
vote
1 answer

WCF Client default SPN generation

How does WCF client generates target Service's SPN dynamically to get the kerberos ticket in Spnego Use case? For example, if the target service is running under domain machine account, SPN associated with the Service would be in the form…
user3667189
  • 11
  • 2
1 2
3
4 5 6