Resources For IT Professionals
Page Details
  • First published by (eMicrosoft Community Contributo)
  • When: 19 Nov 2012 7:40 PM
  • Last revision by (fMicrosof)
  • When: 7 Aug 2013 7:36 AM
  • Revisions: 24
  • Comments: 8
Options

Revision #21

Wiki  >  TechNet Articles  >  How a Client Application Finds a Service (SPN)  >  Revision #21
How a Client Application Finds a Service (SPN)
You are currently reviewing an older revision of this page.
Go to current version

Table of Contents


 
Clients find service objects by querying the directory. The client can limit the scope of the query to its domain, or it can search the entire forest by using the global catalog. In either case, the client does not need information about the location of the service to perform the search.

If the connection point objects that are being searched for are direct instances of the serviceConnectionPoint class, a client application can locate published services by searching for any object where objectCategory is equal to serviceConnectionPoint and objectClass is equal to serviceConnectionPoint. The keywords attribute contains the vendor-specific and application-specific GUID.

For more information about how a client application finds a service, see the “Microsoft Platform SDK” on MSDN.

How a Client Composes an SPN

Source: http://technet.microsoft.com/en-us/library/cc755804(v=ws.10).aspx#w2k3tr_adspn_how_tpop

"To mutually authenticate a service, a client application composes an SPN for the service instance to which it wants to connect and then presents this SPN to the KDC for authentication. The client application can use DsMakeSpnfunction to compose an SPN. The client specifies the components of the SPN by using known information or information that is retrieved from sources other than the service itself.

The form of an SPN is as follows, where ServiceClass and Host are required and Port and ServiceName are optional:

ServiceClass/Host:Port/ServiceName

A client application can retrieve components of the SPN from sources such as a connection point object, user input, or hard-coded strings that are contained within the client application. For example, the client can read the serviceDNSName attribute of a service’s connection point object to get the Host component. The serviceDNSName attribute contains either the DNS name of the server on which the service instance is running or the DNS name of SRV records that contain the host information for service replicas. The ServiceName component, which is used only for replicable services, can be the distinguished name of the service’s connection point object, the DNS name of the domain that is served by the service, or the DNS name of SRV or MX records."

Differences between the delegation tab betweens the DC, Client computer & User account


   
Above snap from a Domain controller



Above snap from a normal computer account.

Above snap taken from an user account (There is no delegation tab)



Above snap is taken from an user account but delegation tab is present there coz I have added some SPNs with below commands.

C:\>setspn -A http/Kol-ads01 bshwjt
Registering ServicePrincipalNames for CN=bshwjt bshwjt,CN=Users,DC=gs,DC=com
        http/Kol-ads01
Updated object

C:\>setspn -A http/Kol-ads01.gs.com bshwjt
Registering ServicePrincipalNames for CN=bshwjt bshwjt,CN=Users,DC=gs,DC=com
        http/Kol-ads01.gs.com
Updated object


Added the below snap for your reference
  

 

 

Credits

Some content taken from: 

http://technet.microsoft.com/en-us/library/cc755804(v=ws.10).aspx#w2k3tr_adspn_how_tpop

See also

The biggest mistake: ServicePrincipalName’s
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx
Creating a service principal name and keytab file
http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_create_service_account.html

Revert to this revision