Summary
This document describes Service Principal Names (SPNs) and delegation of authentication in Windows. It contains detailed information about what SPNs are and how they are used in a Citrix Presentation Server deployment. It also lists the different types of SPNs available in Windows. You may need to refer to this list when configuring servers running Presentation Server for constrained delegation.
Background
If you are using Microsoft Active Directory Federation Services (ADFS) in your Presentation Server deployment, you need to know about SPNs and delegation of authentication. You need to configure the servers in your deployment for delegation.
You also need to know about SPNs and delegation of authentication if you are using direct Kerberos authentication between Presentation Server clients and servers running Presentation Server in your deployment.
Service Principal Names
SPNs provide a level of indirection to user and computer accounts, enabling applications to refer to abstract service names rather than the accounts under which those services run. This enables services to run under different accounts without changing applications.
SPNs are mainly used for authentication purposes. When an application authenticates to a service, it specifies the SPN for that service rather than an account.
SPNs comprise of two main components: a service type and a service location, separated by a slash (/). A list of different service types available for Windows is included in this article. For example:
HTTP/foo.acme.com – Any page on the Web site on port 80 of foo.acme.com, that is
http://foo.acme.com.
HOST/bar.acme.com – Any process running under the computer account on bar.acme.com, including Presentation Server.
MSSQLSvc/wup.acme.com:1433 – The SQL Server listening on wup.acme.com, port 1433.
cifs/wizard.acme.com – The file share on wizard.acme.com.
For more information, see:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAServicePrincipalNameSPN.html
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/service_principal_names.asp
Delegation of authentication
In Windows, a server can be marked as “trusted for delegation.” This means a server can authenticate to services as if it were a user. The services cannot tell that the request is being made by a server rather than directly by a user.
The screen shot below shows the
Delegation tab of the
Server Properties dialog box, available in the Active Directory Users and Computers administration tool:
Figure 1. Delegation Tab:
There are two types of delegation:
- Unconstrained delegation: If you select the Trust this computer for delegation to any service (Kerberos Only) check box, the server can access any other service as the user as long as the user authenticated to it using Kerberos.
Note: This setting does not work with ADFS deployments. - Constrained delegation: If you select the Trust this computer to specified services only check box, the server can access only certain services as the user.
- a. If you select Use Kerberos only, the user must authenticate to the server using Kerberos.
b. If you select Use any authentication protocol, the user can authenticate to the server using any authentication method (for example, Windows NT LAN Manager (NTLM) or ADFS). This is known as protocol transition because one authentication method, for example ADFS, is transitioned into another. On Windows operating systems, this is always Kerberos.
If you configure constrained delegation, you can specify which services the server can access as a user using the following procedure:
1. On the
Delegation tab, click
Add…
2. Click
Users or Computers…
3. In the
Enter the object names to select (examples) box, either:
Type in the account name, if the service is running under a domain user account.
Note: You must ensure there is an appropriate SPN mapping in this case. For more information, see
Using the Setspn tool below.
-Or-
Type in the name of the server where the service is running.
4. Click
OK.
5. Select the service type from the
Add Services list. For more information about the different types of service available, see
Service Types below.
6. Click
OK.
7. Verify that the service you selected appears in the
Services to which this account can present delegated credentials: list.
Using this procedure enables you to specify the SPN for each service. This is how constrained delegation and SPNs are related–you use SPNs to specify which services a server can access on behalf of a user.
For more information about delegation of authentication, see:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1013484,00.html
http://technet2.microsoft.com/WindowsServer/en/Library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx
http://www.windowsecurity.com/articles/Delegation_Authentication_Windows_Server_2003.html
Configuring Delegation in Your Presentation Server Deployment
You must configure delegation when you enable user logon to Presentation Server using Microsoft ADFS. You also need to configure delegation when you enable Kerberos logon between the Presentation Server clients and the Presentation Server.
The following diagram shows a sample deployment where users log on to Presentation Server either through ADFS or directly from a client using Kerberos. After logging on, users run an application that accesses a SQL Server database. The SQL Server is configured to require Windows authentication.
Note: Details about ADFS, Web Interface, and Presentation Server interactions are not shown.
Logging On Using ADFS
If users log on using ADFS, use the details in the table below to set up delegation. The user’s identity must pass from the server running the Web Interface to the XML service and then to the server running Presentation Server. When the user launches an application on the server running Presentation Server, their identity must be passed to the SQL server.
Computer
Trusted for delegation to
Type of delegation
wi.acme.com
http/xml.acme.com
Constrained (any protocol)
xml.acme.com
HOST/cps.acme.com
Constrained (Kerberos only)
cps.acme.com
MSSQLSvc/sql.acme.com
Constrained (Kerberos only)
Logging On Using Kerberos
If users log on directly from the client, use the details in the following table to set up delegation. The client is already able to pass the user’s identity to the server running Presentation Server using Kerberos. The server running Presentation Server, however, must be able to pass the user’s identity to the SQL Server when the user launches an application.
Computer
Trusted for delegation to
Type of delegation
cps.acme.com
MSSQLSvc/sql.acme.com
Unconstrained or constrained
Adding a Second Server to Your Deployment
If you add a second server running Presentation Server (cps2.acme.com) to the farm, the following table describes the relevant ADFS delegation settings.
Computer
Trusted for delegation to
Type of delegation
wi.acme.com
http/xml.acme.com
Constrained (any protocol)
xml.acme.com
HOST/cps.acme.com
HOST/cps2.acme.com
Constrained (Kerberos only)
cps.acme.com
MSSQLSvc/sql.acme.com
Constrained (Kerberos only)
cps2.acme.com
MSSQLSvc/sql.acme.com
Constrained (Kerberos only)
Detailed instructions for setting up delegation in ADFS deployments are available in the
Web Interface Administrator’s Guide.
Service Types
The table below contains a list of all SPN types available for Windows. Each service type includes a description and, for the services that have an entry in the Services Administration Tool, a service name.
You can refer to this list when selecting service types on the Delegation tab of the Server Properties dialog box, available in the Active Directory Users and Computers administration tool.
Service Type
Service Name
Service Description
alerter
Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them.
appmgmt
Application Management
Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users are unable to install, remove, or enumerate any IntelliMirror programs.
browser
Computer Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list is not updated or maintained.
cifs
N/A
Provides access to file shares over the network (also known as SMB).
cisvc
Indexing Service
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
clipsrv
ClipBook
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer cannot share information with remote computers.
dcom
N/A
Provides remote access to Component Object Model (COM) components.
dhcp
DHCP Client/Server
Registers and updates IP addresses and Domain Name System (DNS) records for this computer. If this service is stopped, this computer does not receive dynamic IP addresses and DNS updates.
dmserver
Logical Disk Manager
Detects and monitors new hard disk drives and sends disk volume information to the Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date.
dns
DNS Server
Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates do not occur.
dnscache
DNS Client
Resolves and caches DNS names for this computer. If this service is stopped, this computer cannot resolve DNS names and locate Active Directory domain controllers.
eventlog
Event Log
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
eventsystem
COM+ Event System
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing COM components. If the service is stopped, SENS closes and cannot provide logon and logoff notifications.
fax
Fax
Enables you to send and receive faxes utilizing fax resources available on this computer or on the network.
HOST
N/A
Any service running under the computer’s domain account (includes LOCAL SYSTEM or NETWORK SERVICE). This includes Citrix Presentation Server.
http
HTTP
This service implements the hypertext transfer protocol (HTTP).
iisadmin
IIS Admin Service
Enables this server to administer Web and FTP services. If this service is stopped, the server is unable to run Web, FTP, Network News Transfer Protocol
(NNTP), or Simple Mail Transfer Protocol (SMTP) sites or configure Internet Information Services (IIS).
ldap
N/A
Active Directory access (for example, Active Directory queries, or Active Directory Services Interface (ADSI) calls).
messenger
Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages are not transmitted.
msdtc
Distributed Transaction Coordinator
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions do not occur.
msiserver
Windows Installer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package.
MSSQLSvc
SQL Server
Microsoft SQL Server. Provides storage, processing and controlled access of data and rapid transaction processing.
netdde
Network DDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security is unavailable.
netddedsm
Network DDE DSDM
Manages DDE network shares. If this service is stopped, DDE network shares are unavailable.
netlogon
Net Logon
Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records.
netman
Network Connections
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network (LAN) and remote connections. If this service is disabled, you cannot view LAN or remote connections.
plugplay
Plug and Play
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service results in system instability.
policyagent
IPSec Services
Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network is impaired.
protectedstorage
Protected Storage
Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. If this service is stopped, protected storage is unavailable.
rasman
Remote Access Connection Manager
Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. If this service is stopped, the operating system might not function properly.
remoteaccess
Routing and Remote Access
Enables multi-protocol LAN-to-LAN, LAN-to-WAN, virtual private network (VPN), and network address translation (NAT) routing services for clients and servers on this network. If this service is stopped, these services are unavailable.
rpc
N/A
Enables remote procedure call (RPC) clients to access RPC servers.
rpclocator
Remote Procedure Call (RPC) Locator
Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers. If this service is stopped or disabled, RPC clients using RpcNs* APIs may be unable to locate servers or fail to start. RpcNs* APIs are not used internally in Windows.
rpcss
Remote Procedure Call (RPC)
Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or RPC services do not function properly.
samss
Security Accounts Manager
The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service prevents other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
scardsvr
Smart Card
Manages access to smart cards read by this computer. If this service is stopped, this computer is unable to read smart cards.
schedule
Task Scheduler
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks are not run at their scheduled times.
seclogon
Secondary Logon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access is unavailable.
SMTPSVC
Simple Mail Transfer Protocol (SMTP)
Transports electronic mail across the network.
snmp
SNMP Service
Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. If this service is stopped, the computer cannot process SNMP requests.
spooler
Print Spooler
Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine is unavailable.
tapisrv
Telephony
Provides Telephony API (TAPI) support for clients using programs that control telephony devices and IP-based voice connections. If this service is stopped, the function of all dependent programs is impaired.
time
Windows Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization is unavailable.
trksvr
Distributed Link Tracking Server
Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain.
trkwks
Distributed Link Tracking Client
Enables client programs to track linked files that are moved within a Windows NT File System (NTFS) volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. If this service is stopped, the links on this computer are not maintained or tracked.
Ups
Uninterruptible Power Supply
Manages an uninterruptible power supply (UPS) connected to the computer.
w3svc
World Wide Web Publishing Service
Provides Web connectivity and administration through the Internet Information Services Manager.
Using the Setspn Tool
The setspn.exe tool is included in the support tools of your Windows installation media.
Setspn manages the mappings between abstract service names and user accounts. It is useful if you want to run a service under a specific user account. For example, when you install a service such as Microsoft SQL Server, by default it runs as a local system or network service. If you want to run the service as a domain user, you can use Setspn to inform Active Directory which user account the service runs under.
To see which SPNs are registered for a given user account, add the
-L option to setspn.
To register a SPN to a user account, add the
-A option to Setspn. For example, you install Microsoft SQL Server on “host sql.acme.com” and choose to run SQL server on port 1433 as the domain user “fred.” You can use Setspn to register this user account with Active Directory as follows:
Setspn –A MSSQLSvc/sql.acme.com:1433 fred
If a mapping is not configured for a given SPN, a default mapping takes effect. The default mapping is to the computer specified in the SPN. For example, if an SPN mapping is not configured in Active Directory for the SPN MSSQLSvc/sql.acme.com:1433, by default, the SPN maps to the computer sql.acme.com. This means that SQL Server must be running as a local system or network service on sql.acme.com.
More Information
For more information about Setspn, see:
http://technet2.microsoft.com/WindowsServer/en/Library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
For more information about using Setspn when you run Microsoft SQL server as a domain user rather than local system or network service, see:
http://support.microsoft.com/kb/319723/
For more information about configuring servers running Presentation Server for constrained delegation in Active Directory, see the
Web Interface Administrator’s Guide.
Source
Linear Mode
