2.2.21 Service Principal Name

msdn link

The service principal name is the name that a client uses to identify a service for mutual authentication. For more details, see [RFC1964] section 2.1.1.

A service principal name (SPN) (2) is a string with the following format:

 serviceclass "/" hostname [":"port | ":"instancename] ["/" servicename]

An SPN (2) consists of either two parts or three parts, each separated by a forward slash ("/"). The first part is the service class, the second part is the host name, and the third part (if present) is the service name. The host name part can optionally be suffixed with either a ":port" component or an ":instancename" component. A port component is distinguished from an instancename component by being entirely composed of numeric digits.

For example, "ldap/dc-01.fabrikam.com/fabrikam.com" is a three-part SPN where "ldap" is the service class name, "dc-01.fabrikam.com" is the host name, and "fabrikam.com" is the service name.

See Mutual Authentication (section 5.1.1.4) for an example of how three-part SPNs (2) are used. See [SPNNAMES] for more information about SPN format and composing a unique SPN.