3.1.1.5.3.1.1.4 servicePrincipalName
The object has class computer (or a subclass of computer).
In AD DS, the servicePrincipalName value satisfies the following constraints:
The SPN (2) is a syntactically correct two-part SPN (2), or it is a syntactically correct three-part SPN (2) and the object is a DC's domain controller object (see sections 6.1.1.3.1 and 6.1.1.3.2). See section 2.2.21 for the syntax of an SPN (2).
The SPN (2) MUST NOT contain an ":instancename" component.
One of the following constraints:
The hostname matches one of the following: the dNSHostName of the machine, the sAMAccountName of the machine (without the terminating "$"), one of the msDS-AdditionalDnsHostName, or one of the msDS-AdditionalSamAccountName (without the terminating "$").
The object has class msDS-ManagedServiceAccount (or a subclass of msDS-ManagedServiceAccount), the domain behavior version is at least DS_BEHAVIOR_WIN2008R2, and the hostname matches one of the following: the dNSHostName, the sAMAccountName (without the terminating "$"), one of the msDS-AdditionalDnsHostName, or one of the msDS-AdditionalSamAccountName (without the terminating "$"), of an object that is referenced by the msDS-HostServiceAccountBL attribute on the object.
The SPN (2) is a two-part SPN (2), and the service name is of the form <guid>._msdcs.<fqdn>, where <guid> is the objectGUID of the domain controller, and <fqdn> matches the msDS-DnsRootAlias of a crossRef object representing the forest.
The SPN (2) is a three-part SPN (2) and the service name matches one of the following constraints:
The service class is "GC" and the service name matches one of the following: the dnsRoot, or the msDS-DnsRootAlias of the crossRef object representing the forest root domain NC.
The service class is "ldap" and the service name matches one of the following: the NetBIOSName, the dnsRoot, or the msDS-DnsRootAlias of a crossRef object representing the domain NC or one of the application NCs hosted by the DC.
The requester MUST have the Validated-SPN validated write right.