What is service principal name in Kerberos?

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

How do I add a SPN to my service account?

To add an SPN, use the setspn -s service/name hostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual host name of the computer object that you want to update.

How do you validate SPN?

Verify SPN has been successfully registered Using SETSPN Command Line Utility. In Command Line enter the following command: setspn -L and press enter. Next, you need to look for registered ServicePrincipalName to ensure that a valid SPN has been created for the SQL Server.

How do I create a Kerberos principal in Active Directory?

  1. Determine the Kerberos Service Principal Level.
  2. Configure the Kerberos Configuration File.
  3. Create Kerberos Principal Accounts in Active Directory.
  4. Generate the Service Principal Name and Keytab File Name Formats.
  5. Generate the Keytab Files.
  6. Enable Delegation for the Kerberos Principal User Accounts in Active Directory.

What is Kerberos authentication and how does it work?

Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users’ identities.

How do I check if a SPN is registered?

What is UPN and SPN?

UPN: An entity performing client requests to some service. Entity may be human or machine. See here. SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc. Machine only.