Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The object has class computer (or a subclass of computer).
In AD DS, the servicePrincipalName value satisfies the following constraints:
The SPN (2) is a syntactically correct two-part SPN (2), or it is a syntactically correct three-part SPN (2) and the object is a DC's domain controller object (see sections 6.1.1.3.1 and 6.1.1.3.2). See section 2.2.21 for the syntax of an SPN (2).
The SPN (2) MUST NOT contain an ":instancename" component.
One of the following constraints:
The hostname matches one of the following: the dNSHostName of the machine, the sAMAccountName of the machine (without the terminating "$"), one of the msDS-AdditionalDnsHostName, or one of the msDS-AdditionalSamAccountName (without the terminating "$").
The object has class msDS-ManagedServiceAccount (or a subclass of msDS-ManagedServiceAccount), the domain behavior version is at least DS_BEHAVIOR_WIN2008R2, and the hostname matches one of the following: the dNSHostName, the sAMAccountName (without the terminating "$"), one of the msDS-AdditionalDnsHostName, or one of the msDS-AdditionalSamAccountName (without the terminating "$"), of an object that is referenced by the msDS-HostServiceAccountBL attribute on the object.
The SPN (2) is a two-part SPN (2), and the service name is of the form <guid>._msdcs.<fqdn>, where <guid> is the objectGUID of the domain controller, and <fqdn> matches the msDS-DnsRootAlias of a crossRef object representing the forest.
The SPN (2) is a three-part SPN (2) and the service name matches one of the following constraints:
The service class is "GC" and the service name matches one of the following: the dnsRoot, or the msDS-DnsRootAlias of the crossRef object representing the forest root domain NC.
The service class is "ldap" and the service name matches one of the following: the NetBIOSName, the dnsRoot, or the msDS-DnsRootAlias of a crossRef object representing the domain NC or one of the application NCs hosted by the DC.
The requester MUST have the Validated-SPN validated write right.