An SPN (Service Principal Name) is a unique identifier used in Active Directory to map a service to a service account or computer account. It is essential in Kerberos authentication, a protocol that allows users to securely authenticate to services without needing to re-enter credentials.
SPNs help Kerberos identify the specific service instance running on a server, enabling clients to obtain a Kerberos ticket for that service. When a user tries to access a service like a web server or SQL database, they request a Kerberos ticket by referring to the service’s SPN. The Kerberos service then issues the ticket, allowing secure communication between the client and the server.
The SPN consists of the service type, the server name, and sometimes the port number. For example, an SPN might look like HTTP/webserver.domain.com or MSSQLSvc/sqlserver.domain.com:1433.
SPNs can be exploited by attackers through Kerberoasting, a technique in which an attacker requests service tickets for specific SPNs and attempts to crack them offline to obtain the service account’s credentials, especially if weak passwords are used.
Properly managing and auditing SPNs is critical to ensure secure Kerberos-based authentication in an Active Directory environment.
Rate This Article
Thanks for reading: Service Principal Name (SPN), Sorry, my English is bad:)