What Are Service Publication and Service Principal Names?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
In this section
The Business Need
The Service Publication and SPN Solution
Service Publication and SPN Scenarios
Related Information
Services use service publication in Active Directory to provide information about themselves in the directory for easy discovery by client applications and other services. Service publication occurs when the installation program for a service publishes information about the service, including binding and keyword information, to the directory. In addition, Active Directory supports service principal names (SPNs) as a means by which client applications can identify and authenticate the services that they use. Service publication is accomplished through the creation of service objects (also called connection point objects) in Active Directory. Service authentication is accomplished through Kerberos authentication of SPNs.
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.
The Business Need
As organizations come to rely more heavily on distributed services for getting work accomplished, service consumers (that is, users and client applications) in those organizations need a way to search for and discover services on the network quickly and easily. At the same time, administrators need to protect service consumers from insecure or unidentified services and to keep track of valid services that are running on their networks.
The Service Publication and SPN Solution
Service publication and SPNs are two separate, independently deployable Active Directory technologies that together provide a complete solution for the service discovery and authentication needs in an organization.
Service publication in Active Directory enables users and applications to find services on the network — without having to know on which server the service resides — through the use of connection point objects in the directory. A connection point object is created by a service at the time that the service is installed. The service uses this object to publish information about itself, including binding information and searchable keywords. Clients of the service can search against the data that is stored in connection point objects in the directory to find out about services on the network.
Service consumers can use SPNs in Active Directory to authenticate the identity of services before using the services. An SPN is a unique attribute that resides on the account object in whose security context a given service runs. SPN structures generally follow Internet Engineering Task Force (IETF) naming conventions, and they often include the name of the computer on which the service is running. SPNs may be used to request Kerberos tickets, and they are required for mutual authentication between clients and services. For more information about SPNs, see “How Service Publication and Service Principal Names Work.”
Before connecting to a service, a service consumer can construct an SPN string that matches the SPN of the service by using information that is gathered from a connection point object or some other source. The service consumer can then present this SPN string to the Key Distribution Center (KDC) and request that the KDC authenticate the service that is represented by the SPN.
The following figure illustrates the relationship between services, client applications, and Active Directory.
Service Publication and SPNs in Active Directory
Service Publication and SPN Scenarios
The following sections describe the scenarios to which service publication and SPNs most commonly apply.
Standardized Service Publication
Service publication through connection point objects is most commonly used by organizations to establish a single, standard mechanism for publishing service information throughout the organization. This scenario takes advantage of Active Directory as the single, pervasive directory service that is available to all clients throughout the network. This scenario involves services that can write connection point objects to the directory. As an alternative, administrators can create and maintain connection point objects manually.
Protecting Clients from Unauthorized Services
In this scenario, organizations that are concerned about protecting clients from unauthorized services use SPNs as a way to enable client authentication of services. This scenario involves client applications that can request authentication of SPNs.
Related Information
“Microsoft Platform SDK” on MSDN for more information about service publication (in “Service Publication”)
“Microsoft Platform SDK” on MSDN for more information about service authentication (in “Mutual Authentication Using Kerberos”)