How a Service Composes its SPNs
A service can use two functions to compose its SPNs: DsGetSpn is a general-purpose function for composing SPNs and DsServerRegisterSpn is a specialized function for composing and registering simple SPNs for a host-based service.
A service installer typically uses the DsGetSpn function to compose SPNs, which it then registers on the service's logon account using the DsWriteAccountSpn function. The DsGetSpn can perform the following functions.
- Create a simple SPN with the "<service class>/<host>" format for a host-based service.
- Create a complex SPN that includes the "<service name>" component used by replicable services or the "<port>" component that distinguishes multiple instances of a service on a single host.
- Create a single SPN with the "<host>" component set to either the name of a specified host or the name of the local computer by default.
- Create an array of SPNs for multiple service instances that will run on multiple hosts throughout the forest. Each SPN specifies the name of the host for a service instance.
- Create an array of SPNs for multiple service instances that will run on the same host. Each SPN specifies the name of the host and a port number for a service instance.
The array of names returned by DsGetSpn must be freed by calling the DsFreeSpnArray function.
Be aware that the DsGetSpn, DsWriteAccountSpn, and DsServerRegisterSpn functions do not verify that SPNs are unique. Because mutual authentication fails if a client presents an SPN that is not unique, verify uniqueness before registering an SPN. To do this, search the global catalog (GC) for servicePrincipalName attributes that match your SPN. For more information about searching the GC, see Searching the Global Catalog.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for