Directory Services

How a Service Composes its SPNs

A service can use two functions to compose its SPNs: DsGetSpn is a general-purpose function for composing SPNs and DsServerRegisterSpn is a specialized function for composing and registering simple SPNs for a host-based service.

A service installer typically uses the DsGetSpn function to compose SPNs, which it then registers on the service's logon account using the DsWriteAccountSpn function. DsGetSpn can:

The array of names returned by DsGetSpn must be freed by calling the DsFreeSpnArray function.

Be aware that the DsGetSpn, DsWriteAccountSpn, and DsServerRegisterSpn functions do not verify that SPNs are unique. Because mutual authentication fails if a client presents an SPN that is not unique, verify uniqueness before registering an SPN. To do this, search the global catalog (GC) for servicePrincipalName attributes that match your SPN. For more information about searching the GC, see Searching Global Catalog Contents.