Re: Service Principal Name in Kerberos

Hi Andrei,

Thanks for your feedback.

SPN =Domain\AppServerUser
This is not an SPN, as it does not use the syntax required. And I doubt you
really want the SPN for the _USER_. You either want the user UPN, or the
SPN of the _SERVICE_.

Depending on what your application does, it may be able to use Kerberos if
it builds a valid SPN from this data.
If you use this syntax to identify the user, it might be able to use
Kerberos when the local machine knows it has a Kerberos level trust with
¡°Domain¡±.

Otherwise, you¡¯ll be better off if you¡¯d use the UPN for the user, and if
there is no mapping between the UPN suffix and the AD domain FQDN and you
don¡¯t have a Kerberos level trust, you better use the implicit UPN. See:
929272 Interactive logon styles and Key Distribution Center account lookup
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;929272

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: Service Principal Name in Kerberos
    ... This is not an SPN, as it does not use the syntax required. ... don¡¯t have a Kerberos level trust, you better use the implicit UPN. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.platformsdk.security)
  • Re: Service Principal Name in Kerberos
    ... Domain\AppServerUser and when SPN is registered in the form ... I don't take into account IE, IIS, etc., because ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • Remove old DCs from AD
    ... The record data is the status code. ... see Help and Support Center at ... A Service Principal Name (SPN) could not be constructed ... because the provided hostname is not in the necessary ...
    (microsoft.public.win2000.active_directory)