8/14/2019 Service Principal Name (SPN).doc

1/1

Security Account Delegation

Security account delegation is the ability to connect to multiple servers, and with each server change, to retain theauthentication credentials of the original client. For example, if a user ( LONDON\joetuck ) connects to ServerA, whichthen connects to ServerB, ServerB nows that the connection security identity is LONDON\joetuck .

!o use delegation, all servers that you are connecting to must be running "icrosoft# $indows# %&&&, with 'erberossupport enabled, and you must be using "icrosoft Active irectory , the directory service for $indows %&&&. !hefollowing options in Active irectory must be specified as follows in order for delegation to wor *

!he Account is sensitive and cannot be delegated chec box must not be selected for the user re+uestingdelegation.!he Account is trusted for delegation chec box must be selected for the service account of S - Server.!he Computer is trusted for delegation chec box must be selected for the server running an instance of"icrosoft S - Server .

!o use security account delegation, S - Server must have*

A Service rincipal /ame (S /) assigned by the $indows %&&& account domain administrator.

!he S / must be assigned to the service account of the S - Server service on that particular computer.elegation enforces mutual authentication ovla0ten1e 1e nametnuto od obostrane autentifi aci1e.

!he S / proves that S - Server is verified on the particular server, at the particular soc et address, by the $indows%&&& account domain administrator. 2ou can have your domain administrator establish an S / for S - Server with thesetspn utility through the $indows %&&& 3esource 'it.

!o create an S / for S - Server, enter the following code at a command prompt*setspn -A SS!LSvc"#ost$port serviceaccount

For example*setspn -A SS!LSvc"server%&redmond&microsoft&com s'laccount

For more information about the setspn utility, see the $indows %&&& documentation.

Before enabling delegation, consider the following*

2ou must be using !4 56 . 2ou cannot use /amed ipes, because the S / targets a particular !4 56 soc et. 6fyou are using multiple ports, you must have a S / for each port.

2ou can also enable delegation by running under the LocalSystem account. S - Server will self7register atservice startup and automatically register the S /. !his option is easier than enabling delegation using adomain user account. 8owever, when S - Server shuts down, the S /s will be unregistered for theLocalSystem account.

Note 6f you change service accounts in S - Server, you need to delete any previous S /s and create new ones.

Adding an S(N to S!L Server

!o add an S / on an instance of S - Server named 9myserver.microsoft.com9, for an instance listening on port :;