service principal name

 refer:http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx

SPNs are unique identifiers for services running on servers. Each service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. It is registered in Active Directory under a user account as an attribute calledService-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service’s SPN to differentiate it from other services running on that computer.

In general, only one SPN should be set for each service. Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key.

 

To add an SPN

  • Type the following at a command prompt:

    setspn -A ServiceClass / Host : Port AccountName

To delete an SPN

  • Type the following at a command prompt:

    setspn -D ServiceClass / Host : Port AccountName

To view the SPNs that are registered for an account

  • Type the following at a command prompt:

    setspn -L AccountName

To reset the default SPN registrations for the host names for an account

  • Type the following at a command prompt:

    setspn -R AccountName

Setspn Parameters

The following section describes the parameters for the Setspn.exe tool:

-A
Adds the specified SPN for the computer.

 

-D
Deletes the specified SPN for the computer.

 

-L
Lists the currently registered SPN for the computer. This parameter is the default: setspn run without this parameter also lists the registered SPNs.

 

-R
Resets the default SPN registrations for the host names for Computer.

 

ServiceClass
SPN service class assigned to the service.

 

Host
The computer to which the SPN belongs is all the names by which a computer on which the service is running can be referenced. This usually includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases that might have been assigned to this computer. A separate SPN will need to be set for each name by which the computer can be referenced, with the Host parameter changing respectively.

 

Port
The port that the service is running on. It is recommended to include the port even if it is a default port for the service.

 

AccountName
The name of the domain account under which the service runs. If the service runs as Local System or the network service, you usually do not need to set an SPN explicitly for the service because most common SPN service classes will automatically be mapped to the HOST/ SPN which is in turn automatically generated for each computer account.

 

For more information about using Setspn.exe to manipulate service principal names for accounts, see Setspn.exe: Manipulate Service Principal Names for Accounts on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=43030).

你可能感兴趣的:(service,name,principal)