spn understanding confusion

  • Last Post 23 December 2018
Mat.Collins posted this 17 December 2018


so far i understood that if a service is runnig under local system, we register the spn under the computer account. if it runs on a service account, we need to create the spn on service account in ad. Right?

so here are question about how spn process is handling. (this is my assuumption, can clearly)

  • lets say a client want to login to a computer. it send host\pc1.contoso to kerberos to receive the ticket, fine. then kerberos issue the TGS. what happens if the client (just an idea), send a spn like bullshit\pc1.contoso.com to KDC. then he search in forest for PC1 and if it has a bullshit registered in SPN, the tgs will be issued, otherwise, no TGS. right?
  • lets consider that we have a two servers (web1,sql1) and also two service accounts(svcweb,svcsql) and of cource there as a client1. the scenario is as this: the client request to have acess for web1 by specifying spn http/werb1.contoso; but the http is not run under local system and it runs under svcweb. so how kdc will issue here? the client request spn for local system, but it is actually running under svc account: how it will process?
  • client will need to view a report from sql1. here the SPNs of sq1 should be written on sql1 computer account but who have delegated for? svc web?

last question:

  • in which situations, we should create a spn from a remote domain to a local domain? for example consider two computer accounts in two domains, pc1.contoso.com and pc2.child.contoso.com. in which sittuation I should create a spn like host/pc2.child.contoso.com in computer account of pc1.contoso.com? I ask this because I saw this situations in my environment.

sorry if it was confusing but it also confuses me.

Order By: Standard | Newest | Votes
Parzival posted this 20 December 2018


That is where Kerberos Kernel Model comes into play.. even if your web app is running under a service account (or scvweb), the SPN on the computer account will still be able to decrypt the token to validate the user identity. 


And if you use the hostname of the server (icw kernel mode), you can still run your web app under a service account, but use the standard HOST alias for SPN set on the computer account. 



ken posted this 23 December 2018

Q1) The KDC will reply with an error that the host is unknown


Q2) The client specifies http/web1 and the KDC will search the directory to find that SPN. Regardless of whether it is registered under a computer account or service account, the correct service

ticket will be generated. Note that since Windows Server 2008, there’s the option of kernel mode authentication (http://www.adopenstatic.com/cs/blogs/ken/archive/2008/02/12/16189.aspx)

which avoids the problem of registering SPNs under computer or service account


Q3) Is the client connecting to the web server (and the web server is connecting to the SQL server)? Or is the client connecting directly to the sql server? You need to understand the network flow.