A Service Principal Name (SPN) account is a Windows Active Directory user or computer account that acts as a unique identifier for a service instance, allowing Kerberos authentication to map the service to the account running it. It is essential for enabling secure, single sign-on connections, particularly for services like SQL Server or IIS running under a specific domain account.
Key Aspects of SPN Accounts: Purpose: Links a network service (e.g., SQL Server, WWW) to a specific service account, which ensures authentication is directed to the correct instance. Components: An SPN consists of a service class (e.g., MSSQLSvc), a host name, and optionally a port. Automatic vs. Manual: Services running as LocalSystem or NetworkService have automatically registered SPNs, but services running under a domain user account require manual registration using setspn.exe. Security: Properly configured SPNs are critical for security; if misconfigured, they can lead to credential theft via “Kerberoasting” attacks. Active Directory: SPNs are attributes stored in Active Directory, not typically visible in standard AD snap-ins.
For managing or creating an SPN account, you would typically use the setspn command-line tool, such as
setspn -A