How a Client Application Finds a Service (SPN)
Clients find service objects by querying the directory. The client can limit the scope of the query to its domain, or it can search the entire forest by using the global catalog. In either case, the client does not need information about the location of the service to perform the search.
If the connection point objects that are being searched for are direct instances of the serviceConnectionPoint class, a client application can locate published services by searching for any object where objectCategory is equal to serviceConnectionPoint and objectClass is equal to serviceConnectionPoint. The keywords attribute contains the vendor-specific and application-specific GUID.
For more information about how a client application finds a service, see the “Microsoft Platform SDK” on MSDN.
How a Client Composes an SPN
Source: http://technet.microsoft.com/en-us/library/cc755804(v=ws.10).aspx#w2k3tr_adspn_how_tpop
"To mutually authenticate a service, a client application composes an SPN for the service instance to which it wants to connect and then presents this SPN to the KDC for authentication. The client application can use DsMakeSpnfunction to compose an SPN. The client specifies the components of the SPN by using known information or information that is retrieved from sources other than the service itself.
The form of an SPN is as follows, where ServiceClass and Host are required and Port and ServiceName are optional:
ServiceClass/Host:Port/ServiceName
A client application can retrieve components of the SPN from sources such as a connection point object, user input, or hard-coded strings that are contained within the client application. For example, the client can read the serviceDNSName attribute of a service’s connection point object to get the Host component. The serviceDNSName attribute contains either the DNS name of the server on which the service instance is running or the DNS name of SRV records that contain the host information for service replicas. The ServiceName component, which is used only for replicable services, can be the distinguished name of the service’s connection point object, the DNS name of the domain that is served by the service, or the DNS name of SRV or MX records."
Differences between the delegation tab betweens the DC, Client computer & User account
**Above snap from a Domain controller
**
**
Above snap from a normal computer account.
**
**Above snap taken from an user account (There is no delegation tab)
**
**
Above snap is taken from an user account but delegation tab is present there coz I have added some SPNs with below commands.**
C:\setspn -A http/Kol-ads01 bshwjt
Registering ServicePrincipalNames for CN=bshwjt bshwjt,CN=Users,DC=gs,DC=com
http/Kol-ads01
Updated object
C:\setspn -A http/Kol-ads01.gs.com bshwjt
Registering ServicePrincipalNames for CN=bshwjt bshwjt,CN=Users,DC=gs,DC=com
http/Kol-ads01.gs.com
Updated object
Added the below snap for your reference
Credits
Some content taken from:
http://technet.microsoft.com/en-us/library/cc755804(v=ws.10).aspx#w2k3tr_adspn_how_tpop
See also
The biggest mistake: ServicePrincipalName’s
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx