2.2.2 Service Principal Names for Domain Controllers

In the absence of a trusted naming service, which maps service names to servers providing a given service, the client of a distributed service must authenticate a service, not a server. The client produces a service principal name (SPN), which is a name for the service it wants a connection to, and the authentication system verifies that the server is a provider of the named service.

Kerberos verifies the services provided by a server by reading the servicePrincipalName attribute of the server's computer object. The servicePrincipalName attribute contains a set of Unicode strings; each string is an SPN. If the client produces an SPN that is not present on the computer object of the server it has requested a connection to, the mutual authentication fails and so does the connection attempt.

Each DC maintains the values of the servicePrincipalName attribute on its own computer object.

For the protocols specified in this document, the SPN produced by a client differs for DC-to-DC communications and non-DC-client-to-DC communications. The specific SPNs produced by a client in each scenario are described in the following sections.

In either DC-to-DC or client-to-DC operations, to allow use of the DRS Remote Protocol when the RPC endpoint mapper has been configured to disallow anonymous clients (see [MS-RPCE] section 3.1.1.1.3), the DC stores an SPN with the following format<2>:

  • "RPC/<DSA GUID>.msdcs.<DNS forest name>"

In the preceding SPN description, <DSA GUID> is the DSA GUID of the DC and <DNS forest name> is the FQDNs (2) of the forest of the DC.