Understanding Kerberos and the Art of SPN Creation
What is Kerberos?
Kerberos is a protocol that uses secret-key cryptography for secure communication over a non-secure network. It provides strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology.
How Does Kerberos Work?
Kerberos works on the basis of ‘tickets’ which serve as encrypted identifiers. These tickets are issued by the Key Distribution Center (KDC), a trusted third-party entity. Clients communicate with servers using these tickets rather than sending passwords over the network.
Service Principal Name (SPN)
In the context of Kerberos, a Service Principal Name (SPN) is a unique identifier for a service running on a server. The SPN, combined with the realm name, allows a client to uniquely identify an instance of a service. It’s essentially the name by which a client uniquely identifies an instance of a service.
Creating an SPN
Creating an SPN involves associating a service with a logon account (service account) in Active Directory. This can be done using the setspn command-line tool provided by Microsoft. Here’s a basic example of how to create an SPN:
setspn -s HTTP/webserver.domain.com domain\serviceaccount
In this command, HTTP/webserver.domain.com is the SPN being registered and domain\serviceaccount is the service account under which the service will run.
For more information you can visit this Microsoft Website Setspn | Microsoft Learn
Example SPN Class Types
- HOST: This is the default service class set under all computer accounts. There will be an SPN present for both the NetBIOS and Fully Qualified Domain Name (FQDN).
- Host also covers the following service class types
- alerter
- appmgmt
- cisvc
- clipsrv
- browser
- dhcp
- dnscache
- replicator
- eventlog
- eventsystem
- policyagent
- oakley
- dmserver
- dns
- mcsvc
- fax
- msiserver
- ias
- messenger
- netlogon
- netman
- netdde
- netddedsm
- nmagent
- plugplay
- protectedstorage
- rasman
- rpclocator
- rpc
- rpcss
- remoteaccess
- rsvp
- samss
- scardsvr
- scesrv
- seclogon
- scm
- dcom
- cifs
- spooler
- snmp
- schedule
- tapisrv
- trksvr
- trkwks
- ups
- time
- wins
- www
- http
- w3svc
- iisadmin
- msdtc
- HTTP: used for web services. If you want your webserver to be found by web browsers in Active Directory, you register it under the HTTP/yourwebserver SPN
- MSSQLSvc: used for SQL Server.
- SMTP: used for mail services.
- FTP: used for file transfer services.
- LDAP: used for directory services.
- WWW: used for a Web service.
- TERMSRV: This is used for Remote Desktop Connections.
- WSMAN: Windows Remote Management (based on WS-Management standard) service
- RestrictedKrbHost: The class of services that use SPNs with the serviceclass string equal to “RestrictedKrbHost”, whose service tickets use the computer account’s key and share a session key.
- Host also covers the following service class types
- alerter
- appmgmt
- cisvc
- clipsrv
- browser
- dhcp
- dnscache
- replicator
- eventlog
- eventsystem
- policyagent
- oakley
- dmserver
- dns
- mcsvc
- fax
- msiserver
- ias
- messenger
- netlogon
- netman
- netdde
- netddedsm
- nmagent
- plugplay
- protectedstorage
- rasman
- rpclocator
- rpc
- rpcss
- remoteaccess
- rsvp
- samss
- scardsvr
- scesrv
- seclogon
- scm
- dcom
- cifs
- spooler
- snmp
- schedule
- tapisrv
- trksvr
- trkwks
- ups
- time
- wins
- www
- http
- w3svc
- iisadmin
- msdtc
Listing an SPN
SPNs are unique to only one object, you can validate whether a service account has an existing SPN assigned to it by using the following command:
Setspn -l DOMAIN\Computer
Setspn -l DOMAIN\ServiceAccount
Querying an SPN
Best practice would be to confirm whether there is an already existing SPN set in the domain/forest - to do this, use the following command:
Setspn -q HTTP/webserver.domain.com
If an existing SPN is in the domain/forest, you will see the message "Existing SPN found!"
Deleting an SPN
If a SPN is no longer required it is always good practice to remove them. Use the following command to remove and SPN:
Setspn -d HTTP/webserver.domain.com
Setting multiple SPN's
If you require more than one SPN to be applied to a Service Account or Computer Object then you can either do this via the GUI in Active Directory Users and Computers, or PowerShell. Below is an example of a quick PowerShell script that will apply all relevant SPNs to an AD Object.
Applying to a User Service Account
$MultiSPN = @{Add="HTTP/hostname","HTTP/hostname.domain.local"}
Set-ADUser -Identity "ServiceAccount" -ServicePrincipalNames $MultiSPN
Applying to a Computer Object
$MultiSPN = @{Add="HTTP/hostname","HTTP/hostname.domain.local"}
Set-ADComputer -Identity "ComputerObject" -ServicePrincipalNames $MultiSPN
If port numbers are required then you can use the following:
$MultiSPN = @{Add="HTTP/hostname:port","HTTP/hostname.domain.local:port"}
Set-ADComputer -Identity "ComputerObject" -ServicePrincipalNames $MultiSPN
Conclusion
Understanding Kerberos and the process of SPN creation is crucial not only for network security but with NTLM being phased out, we will start to see issues with Kerberos authentication so getting ahead of the game is advised.
While the process may seem complex, with a bit of practice, it becomes second nature. As always, ensure to follow best practices and keep your systems secure.
Comments
Post a Comment