How Clients Compose a Service's SPN
To authenticate a service, a client application composes an SPN for the service instance to which it must connect. The client application can use the DsMakeSpn function to compose an SPN. The client specifies the components of the SPN using known data or data retrieved from sources other than the service itself.
The form of an SPN is as shown in the following form:
<service class>/<host>:<port>/<service name>
In this form, "<service class>" and "<host>" are required. "<port>" and "<service name>" are optional.
Typically, the client recognizes the "<service class>" part of the name, and recognizes which of the optional components to include in the SPN. The client can retrieve components of the SPN from sources such as a service connection point (SCP) or user input. For example, the client can read the serviceDNSName attribute of a service's SCP to get the "<host>" component. The serviceDNSName attribute contains either the DNS name of the server on which the service instance is running or the DNS name of SRV records containing the host data for service replicas. The "<service name>" component, used only for replicable services, can be the distinguished name of the service's SCP, the DNS name of the domain served by the service, or the DNS name of SRV or MX records.
For more information and a code example used to compose an SPN for a service, see How a Client Authenticates an SCP-based Windows Sockets Service.
For more information and a description of the SPN components, see Name Formats for Unique SPNs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for