When adding a new SPN into the Kerberos domain, you have the option of mapping the SPN to a user. In general, I join the domain through Integrated Windows Authentication, and this creates a new computer account for the service, but now, I would like to try using Kerberos without IWA.
I believe I have a thorough understanding of how Kerberos authenticates clients for a computer host (good enough for what I'm trying to do) – but what exactly does mapping a SPN to a domain user do?
Edit: I am not asking about how SPNs work in general. I am asking specifically about the details of mapping a SPN to a domain USER.
Answer:
- Kerberos will allow that specific user to HOST this service – rather than authenticating with a computer host account, the server would be joined into the Kerberos domain under this specific user. Authentication occurs via this user.
Any further information would be greatly appreciated.
Best Answer
An AD user account will have a Service Principal Name only if it is used to run a service. As such, most AD user accounts will not have any Service Principal Names. The most common example of times when an AD user account will have SPNs is if that user account is used as a service account to run MS SQL, IIS, etc. If an AD user account is used to operate a service, but no SPN is registered in AD, then that service cannot use Kerberos.
In contrast, AD user accounts will always have a User Principal Name.