Kerberos - Adding a SPN to a Domain User

active-directory kerberos service integrated-authentication spn
15,092

Solution 1

An AD user account will have a Service Principal Name only if it is used to run a service. As such, most AD user accounts will not have any Service Principal Names. The most common example of times when an AD user account will have SPNs is if that user account is used as a service account to run MS SQL, IIS, etc. If an AD user account is used to operate a service, but no SPN is registered in AD, then that service cannot use Kerberos.

In contrast, AD user accounts will always have a User Principal Name.

Service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.

Solution 2

To fill in the gaps a bit, if your service needs to run in the context of a.domain user account, then that user account needs to have the SPN.

Where this is commonly found is with IIS application pools. If you have multiple IIS servers for an application behind a load balancer, you may not have the SPN assigned to a specific server, but to a domain user account, and the IIS application pools run in the context of that account. This would be particularly true if you want to impersonate the authenticated user with a "delegation" level token, and access another service on a remote computer.

How you acquire the authenticated user's token is not necessarily important. It can be either an integrated auth token, or a token that you build with the users' supplied credentials, for example with forms authentication. If using constrained delegation, you can impersonate the user without an existing auth token or password, all you need is the username.

But for any of that to work, an SPN is always required.

Solution 3

You should read the MSDN documentation if you're not even sure which problems SPNs solve. It is thorough and complete.

Share:
15,092

Related videos on Youtube

lululoo
Author by

lululoo

Updated on September 18, 2022

Comments

  • lululoo
    lululoo almost 2 years

    When adding a new SPN into the Kerberos domain, you have the option of mapping the SPN to a user. In general, I join the domain through Integrated Windows Authentication, and this creates a new computer account for the service, but now, I would like to try using Kerberos without IWA.

    I believe I have a thorough understanding of how Kerberos authenticates clients for a computer host (good enough for what I'm trying to do) - but what exactly does mapping a SPN to a domain user do?

    Edit: I am not asking about how SPNs work in general. I am asking specifically about the details of mapping a SPN to a domain USER.

    Answer:

    1. Kerberos will allow that specific user to HOST this service - rather than authenticating with a computer host account, the server would be joined into the Kerberos domain under this specific user. Authentication occurs via this user.

    Any further information would be greatly appreciated.

  • lululoo
    lululoo almost 11 years
    I was indeed trying to get at the case where a service is running under a user account. In what ways is this user account used by the service?
  • Ryan Ries
    Ryan Ries almost 11 years
    @lululoo The service runs under the security context of that user account. All processes in Windows need a security context under which to execute.
  • lululoo
    lululoo almost 11 years
    I did not ask about the problems which SPNs solve. Even if I did, linking me to the entire documentation does not point me in the right direction. Please try to consider my present state in understanding Kerberos a bit more before simply writing "RTFM". Thank you for the link though.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why should I not run setspn.exe on the domain controller?
Why does a SPN on a different host cause a server to lose its trust? How should I fix it?
help using setspn and ktpass
creating an SPN from a linux build server
Permissions to create an spn
Apache Kerberos Authentication - Client didn't delegate us their credential
How to verify kerberos token?
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
Edit Sudoers file to allow sudo rights to a AD domain group
How do I clear a user's cached Active Directory password on CentOS 7?