SPNs

Active Directory Service Principal Names (SPNs) Descriptions

Excellent article describing how Service Principal Names (SPNs) are used by Kerberos and Active Directory:
Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

This page is a comprehensive reference (as comprehensive as possible) for Active Directory Service Principal Names (SPNs). As I discover more SPNs, they will be added.

SPN Application URL Reference
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}
{54094C05-F977-4987-BFC9-E8B90E088973} Graphon http://www.graphon.com/files/GGWH4_Admin_Guide.pdf
AcronisAgent Acronis backup/data recovery software
AdtServer Microsoft System Center Operations Manager (2007/2012) Management Server with ACS http://blogs.technet.com/b/jonathanalmquist/archive/2008/08/14/operations-manager-2007-spn-s.aspx
afpserver Apple Filing Protocol http://en.wikipedia.org/wiki/Apple_Filing_Protocol
AFServer Pi AF Server https://livelibrary.osisoft.com/LiveLibrary/content/en/server-v2/GUID-AF6629ED-F956-4E41-B69E-D441A613785C
Agent VProRecovery Norton Ghost 12.0 VProRecovery Norton Ghost 12.0
AgpmServer Microsoft Advanced Group Policy Management (AGPM) http://technet.microsoft.com/en-us/library/ee390978.aspx
aradminsvc Quest Active Roles Server https://support.oneidentity.com/technical-documents/active-roles/7.0/administrator-guide/24
Backup Exec System Recovery Agent 6.x Backup Exec System Recovery Agent 6.x
BICMS SAP Business Objects https://blogs.sap.com/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4/
BO3SSO Business Objects?
BOCMS SAP Business Objects https://blogs.sap.com/2013/11/25/business-objects-ad-authentication-with-kerberos-with-multiple-domains/
BOSSO Business Objects http://scn.sap.com/thread/2006267
CAXOsoftEngine CA XOsoft Exchange Replication
CAARCserveRHAEngine CA ArcServe
CESREMOTE seems to be related to a Citrix VDI solution on VMWare. Many VDI workstations have this SPN.
CIFS Common Internet File System http://technet.microsoft.com/en-us/library/cc939973.aspx
ckp_pdp Checkpoint Identity https://sc1.checkpoint.com/documents/R76/CP_R76_IdentityAwareness_AdminGuide/63005.htm
CmRcService Microsoft System Center Configuration Manager (SCCM) Remote Control
Cognos IBM Cognos https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_inst_sso_active_drctry_constrained_del.html
CUSESSIONKEYSVR Cisco Unity VOIP System
cvs CVS Repository
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04 Distributed File System Replication
DNS Domain Name Server http://en.wikipedia.org/wiki/Domain_Name_System
DynamicsNAV Microsoft Dynamics?
E3514235-4B06-11D1-AB04-00C04FC2DCD2 NTDS DC RPC Replication http://www.eventid.net/display-eventid-1645-source-NTDS%20Replication-eventno-351-phase-1.htm
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM Microsoft ADAM Instance http://technet.microsoft.com/en-us/library/cc776694%28v=ws.10%29.aspx
exchangeAB Exchange Address Book service (typically a Domain Controller supporting NSPI, which is usually all GCs) http://technet.microsoft.com/en-us/library/ff808312%28v=exchg.141%29.aspx
exchangeMDB RPC client access – Client Access Server role http://technet.microsoft.com/en-us/library/ff808312%28v=exchg.141%29.aspx
exchangeRFR Exchange Address Book service http://technet.microsoft.com/en-us/library/ff808312%28v=exchg.141%29.aspx
EDVR ExacqVision https://www.exacq.com/auto/manspec/files/5fea24a1-ad10-9c14-355a-5361ef928482.pdf?rand=9.944301796145737
fcsvr Apple Final Cut Server
FIMService Microsoft Forefront Identity Manager (FIM) http://technet.microsoft.com/en-us/library/jj134299%28v=ws.10%29.aspx
FileRepService WSFileRepService.exe ? http://msdn.microsoft.com/en-us/library/windows/desktop/dd323324%28v=vs.85%29.aspx
ftp File Transfer Protocol http://en.wikipedia.org/wiki/File_Transfer_Protocol
flume Clodera Flume https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cdh_sg_flume_security.html
gateway Hadoop Knox https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
GC Domain Controller Global Catalog services http://msdn.microsoft.com/en-us/library/dd207688.aspx
hbase Cloudera Hbase https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cdh_sg_hbase_authentication.html
HBase Hadoop MasterServer https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
hdb Hana DB https://blogs.sap.com/2018/02/24/single-sign-on-sso-configuration-for-hana-db-using-kerberos/
hdfs Hadoop https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
hive Hadoop Metastore https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
host The HOST service represents the host computer. The HOST SPN is used to access the host computer account whose long term key is used by the Kerberos protocol when it creates a service ticket. http://msdn.microsoft.com/en-us/library/ff649429.aspx
HTTP SPN for http web services that support Kerberos authentication
httpfs Hadoop HDFS over HTTP https://hadoop.apache.org/docs/r2.4.1/hadoop-hdfs-httpfs/index.html
https SPN for http web services that support Kerberos authentication
Hue Hadoop Hue Interface https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
Hyper-V Replica Service Microsoft Hyper-V’s Replica Service
iem IBM BigFix https://www.ibm.com/developerworks/community/forums/html/topic?id=0e650054-30e4-4bef-ba18-344bb00cd503
IMAP Internet Message Access Protocol http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
IMAP4 Internet Message Access Protocol version 4 http://technet.microsoft.com/en-us/magazine/2006.03.howitworksimap4.aspx
impala Cloudera Impala https://www.cloudera.com/documentation/enterprise/5-9-x/topics/impala_kerberos.html
ImDmsSvc Worksite (Imanage) Server https://www.scribd.com/document/221190593/Worksite-Server-Administrators-Guide-8-5-for-Imanage-server
ipp Internet Printing Protocol http://technet.microsoft.com/en-us/library/cc757981%28v=ws.10%29.aspx
iSCSITarget iSCSI Configuration http://technet.microsoft.com/en-us/library/ee338480%28v=ws.10%29.aspx
jboss RedHat Jboss https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/how_to_setup_sso_with_kerberos/index
JournalNode Server Hadoop JournalNode https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
kadmin Kerberos http://technet.microsoft.com/en-us/library/bb742433.aspx
Kafka Hadoop KafkaServer https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
kafka Apache Kafka http://www.gi-architects.co.uk/2016/10/building-a-kerberised-via-ad-and-tlsssl-enabled-apache-kafka-cluster/
kudu Apache Kudu
kafka_mirror_maker Apache Kafka
krbsvr400 IBM OS/400 https://www-01.ibm.com/software/webservers/hostondemand/library/v8infocenter/hod/en/tutorials/webexpress/scenario3_enableOS400_p1.html
ldap LDAP service such as on a Domain Controller or ADAM instance. http://support.microsoft.com/kb/837513
LiveState Recovery Agent 6.x Symantec LiveState Recovery http://eval.veritas.com/mktginfo/enterprise/fact_sheets/ent-factsheet_livestate_recovery_6.0_08-2005.en-us.pdf
magfs Maginatics MagFS http://downloads.maginatics.com/MaginaticsMagFSTechnicalWhitepaper.pdf
mapred Cloudera Map reduce http://www.cloudera.com/documentation/archive/cdh/4-x/4-7-1/CDH4-Security-Guide/cdh4sg_topic_3_4.html
M-Files M-Files? https://www.m-files.com/en
Microsoft Virtual Console Service HyperV Host http://blogs.technet.com/b/matthts/archive/2012/06/10/configuring-kerberos-constrained-delegation-for-hyper-v-management.aspx
Microsoft Virtual System Migration Service P2V Support (Hyper-V) http://www.hyper-v.nu/archives/pnoorderijk/2013/03/microsoft-virtual-system-migration-serviceservice-is-missing/
mongod MongoDB Enterprise http://docs.mongodb.org/manual/core/kerberos/
mongos MongoDB Enterprise http://docs.mongodb.org/manual/core/kerberos/
mr2 Hadoop History Server https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
MSClusterVirtualServer Windows Cluster Server http://support.microsoft.com/kb/302389
MSCRMAsyncService Microsoft Dynamics 365 https://technet.microsoft.com/en-us/library/hh699825.aspx
MSCRMSandboxService Microsoft Dynamics 365 https://technet.microsoft.com/en-us/library/hh699825.aspx
MSOLAPDisco.3 SQL Server Analysis Services http://support.microsoft.com/kb/917409
msolapdisco3 SQL Server Analysis Services http://support.microsoft.com/kb/917409
MSOLAPSvc SQL Server Analysis Services http://support.microsoft.com/kb/917409
MSOLAPSvc.3 SQL Server Analysis Services http://support.microsoft.com/kb/917409
MSOMHSvc Micrsoft SCOM 2012 https://blogs.technet.microsoft.com/kevinholman/2011/08/08/opsmgr-2012-what-should-the-spns-look-like/
MSOMSdkSvc Micrsoft SCOM 2012 https://blogs.technet.microsoft.com/kevinholman/2011/08/08/opsmgr-2012-what-should-the-spns-look-like/
MSServerCluster Windows Cluster Server http://support.microsoft.com/kb/302389
MSServerClusterMgmtAPI This SPN is needed for cluster APIs to authenticate to the server by using Kerberos
MSSQL Microsoft SQL Server http://msdn.microsoft.com/en-us/library/ms191153.aspx
MSSQL$ADOBECONNECT Microsoft SQL Server supporting Adobe Connect
MSSQL$BIZTALK Microsoft SQL Server supporting Microsoft Biztalk Server
MSSQL$BUSINESSOBJECTS Microsoft SQL Server supporting Business Objects
MSSQL$DB01NETIQ Microsoft SQL Server supporting NetIQ
MSSQLSvc Microsoft SQL Server http://msdn.microsoft.com/en-us/library/ms191153.aspx
NAV2016 Microsoft Dynamics NAV
nfs Network File System http://blogs.technet.com/b/filecab/archive/2012/10/09/how-to-nfs-kerberos-configuration-with-linux-client.aspx
Norskale Citrix Infrastructure https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-configure/infrastructure-services.html
NPPolicyEvaluator Quest Change Auditor
NPRepository4(DEFAULT) Quest Change Auditor https://support.quest.com/change-auditor/kb/97153/how-to-move-the-service-principal-name-spn-from-computer-object-to-a-domain-user
NPRepository4(*) Quest Change Auditor https://support.quest.com/change-auditor/kb/97153/how-to-move-the-service-principal-name-spn-from-computer-object-to-a-domain-user
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232 NT File Replication Service http://en.wikipedia.org/wiki/File_Replication_Service
oozie Hadoop Oozie Server https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
OA60 OpenAccess (sometimes) https://knowledgebase.progress.com/articles/Article/9903
oracle Oracle Kerberos auth https://bjornnaessens.wordpress.com/2012/12/21/configuring-kerberos-for-oracle-databases-11-2-with-win2008r2-ad/
pcast Apple Podcast Producer
PCNSCLNT Automated Password Synchronization Solution (MIIS 2003 & FIM) http://technet.microsoft.com/en-us/library/cc720654%28v=ws.10%29.aspx
PIServer Pi AF Server https://livelibrary.osisoft.com/LiveLibrary/content/en/server-v2/GUID-AF6629ED-F956-4E41-B69E-D441A613785C
POP Post Office Protocol
POP3 Post Office Protocol version 3
PVSSoap Citrix Provisioning Services (7.1) http://support.citrix.com/proddocs/topic/provisioning-7/pvs-install-task1-plan-6-0.html
postgres Postgres database server https://serverfault.com/questions/225428/how-to-set-the-spn-for-postgres-sspi
RestrictedKrbHost The class of services that use SPNs with the serviceclass string equal to “RestrictedKrbHost”, whose service tickets use the computer account’s key and share a session key. http://msdn.microsoft.com/en-us/library/dd973891.aspx
RPC Remote Procedure Call
SAP SAP/SAPService<SID> http://help.sap.com/saphelp_nwsso20/helpdata/en/57/a3f6afc2eb4aea8d2a31f6482f09f3/content.htm?frameset=/en/15/561fdb7eab4f5d9bf2c6c1d6829373/frameset.htm&current_toc=/en/ba/a0222bf5da4ed3a655eaef1e4a3b60/plain.htm&node_id=128
SAPService SAP/SAPService<SID> http://help.sap.com/saphelp_nwsso20/helpdata/en/57/a3f6afc2eb4aea8d2a31f6482f09f3/content.htm?frameset=/en/15/561fdb7eab4f5d9bf2c6c1d6829373/frameset.htm&current_toc=/en/ba/a0222bf5da4ed3a655eaef1e4a3b60/plain.htm&node_id=128
SAS SAS 9.3 Intelligence Platform https://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n1d1zo1jsf2o0en1ehu4c4simfky.htm
SCVMM Micrsoft System Center Virtual Machine Manager (SCVMM) https://docs.microsoft.com/en-us/system-center/vmm/plan-install?view=sc-vmm-1807
SQLAgent$DB01NETIQ SQL service for NetIQ
secshd IBM InfoSphere
SeapineLicenseSvr Helix ALM
sentry Cloudera Enterprise 5.2.x
sip Session Initiation Protocol http://msdn.microsoft.com/en-us/library/cc246225.aspx
SMTP Simple Mail Transfer Protocol http://technet.microsoft.com/en-us/library/aa995897%28v=exchg.80%29.aspx
SMTPSVC Simple Mail Transfer Protocol http://technet.microsoft.com/en-us/library/aa995897%28v=exchg.80%29.aspx
SoftGrid Microsoft Application Virtualization (App-V)  formerly “SoftGrid” http://blogs.technet.com/b/appv/archive/2008/08/21/how-to-configure-the-app-v-management-server-service-to-run-as-a-service-account.aspx
solr Apache Solr
spark Apache Spark Server https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_spark-component-guide/content/configuring-kerb.html
*informatica* Informatica https://kb.informatica.com/faq/7/Pages/2/158917.aspx
Storm Hadoop Nimbus server https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
STS VMWare SSO service http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2058298
tapinego Associated with routing applications such as Microsoft firewalls (ISA, TMG, etc)
TERMSERV Microsoft Remote Desktop Protocol Services, aka Terminal Services. http://technet.microsoft.com/en-us/library/ee891066%28v=ws.10%29.aspx
TERMSRV Microsoft Remote Desktop Protocol Services, aka Terminal Services. http://technet.microsoft.com/en-us/library/ee891066%28v=ws.10%29.aspx
tnetdgines Juniper Kerberos auth? “Tnetd is a daemon used for internal communication between different components like Routing Engine and Packet Forwarding En
VCSClusterVirtualServer Microsoft Cluster Server
VMMSvc Micrsoft System Center Virtual Machine Manager (SCVMM)
vmrc Microsoft Virtual Server 2005 http://support.microsoft.com/kb/890893
vnc VNC Server VNC Server
vpn Virtual Private Network
VProRecovery Backup Exec System Recovery Agent 7.0
VProRecovery Backup Exec System Recovery Agent 8.0
VProRecovery Backup Exec System Recovery Agent 8.5
VProRecovery Backup Exec System Recovery Agent 9.0
VProRecovery Norton Ghost Agent 12.0
VProRecovery Norton Ghost Agent 14.0
VProRecovery Norton Ghost Agent 15.0
VProRecovery Symantec System Recovery Agent 10.0
VProRecovery Symantec System Recovery Agent 11.0
VProRecovery Symantec System Recovery Agent 11.1
VProRecovery Symantec System Recovery Agent 14.0
vssrvc Microsoft Virtual Server (2005) http://support.microsoft.com/kb/890893
WSMAN Windows Remote Management (based on WS-Management standard) service http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-management-troubleshooting.aspx
xgrid Apple’s distributed (grid) computing / Mac OS X 10.6 Server Admin http://en.wikipedia.org/wiki/Xgrid
xmpp Extensible Messaging and Presence Protocol (Jabber) http://en.wikipedia.org/wiki/XMPP
yarn Hadoop NodeManager https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
yarn Cloudera MapReduce Cloudera MapReduce
Zeppelin Hadoop Zeppelin Server https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
ZooKeeper Hadoop ZooKeeper https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/creating_service_principals_and_keytab_files_for_hdp.html
zookeeper Cloudera Zookeeper http://www.cloudera.com/documentation/cdh/5-1-x/CDH5-Security-Guide/cdh5sg_zookeeper_security.html

 

NOTE:
Domain Controllers automatically map common SPNs to the “HOST” SPN.

The HOST SPN is automatically added to the ServicePrincipalName attribute for all computer accounts when the computer is joined to the domain.

The Domain Controller SPN mapping is controlled by the attribute “SPNMappings” in the following location:
“CN=Directory Service,CN=WindowsNT,CN=Services,CN=Configuration”

The following SPNs are automatically mapped to HOST (SPNMapping property value):

  • alerter
  • appmgmt
  • cisvc
  • clipsrv
  • browser
  • dhcp
  • dnscache
  • replicator
  • eventlog
  • eventsystem
  • policyagent
  • oakley
  • dmserver
  • dns
  • mcsvc
  • fax
  • msiserver
  • ias
  • messenger
  • netlogon
  • netman
  • netdde
  • netddedsm
  • nmagent
  • plugplay
  • protectedstorage
  • rasman
  • rpclocator
  • rpc
  • rpcss
  • remoteaccess
  • rsvp
  • samss
  • scardsvr
  • scesrv
  • seclogon
  • scm
  • dcom
  • cifs
  • spooler
  • snmp
  • schedule
  • tapisrv
  • trksvr
  • trkwks
  • ups
  • time
  • wins
  • www
  • http
  • w3svc
  • iisadmin
  • msdtc

 

Here’s the PowerShell code to pull the value of the Directory Service property SPNMapping :

Import-Module ActiveDirectory

$ADDomainDistinguishedName = (Get-ADDomain).DistinguishedName

(Get-ADObject -Identity `
“CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,$ADDomainDistinguishedName” `
-Partition “CN=Configuration,$ADDomainDistinguishedName” -Properties sPNMappings).SPNMappings

The results:

host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,
oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,
plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,
seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,
iisadmin,msdtc

 

(Visited 135,993 times, 10 visits today)