Service Principal Names (SPNs) are fundamental to Kerberos authentication in Windows environments. They uniquely identify services running under service accounts, enabling clients to request service tickets from the Domain Controller.
# Typical HTTP SPN registration for IIS
setspn -A HTTP/webserver01.domain.com DOMAIN\IIS_ServiceAccount
The HOST/machine SPN is a special convention in Windows Kerberos implementations. When IIS performs kernel-mode authentication, it leverages this SPN because:
- Backward compatibility: HOST was historically used before protocol-specific SPNs became common
- Service coverage: It automatically covers multiple common services (HTTP, CIFS, etc.)
- Default behavior: Windows services often register HOST SPNs during installation
When a client requests a service ticket, the resolution follows this order:
- Exact protocol-specific SPN (e.g., HTTP/webserver01)
- HOST SPN if no protocol-specific SPN exists
- Falls back to NTLM if no valid SPNs are found
During IIS installation, Windows automatically registers:
setspn -A HOST/webserver01 DOMAIN\IIS_ServiceAccount
setspn -A HOST/webserver01.domain.com DOMAIN\IIS_ServiceAccount
This allows kernel-mode authentication to work without explicit HTTP SPN configuration, though best practice recommends adding protocol-specific SPNs.
To check registered SPNs for an account:
setspn -L DOMAIN\IIS_ServiceAccount
To properly configure both HOST and HTTP SPNs:
setspn -A HTTP/webserver01 DOMAIN\IIS_ServiceAccount
setspn -A HTTP/webserver01.domain.com DOMAIN\IIS_ServiceAccount
setspn -A HOST/webserver01 DOMAIN\IIS_ServiceAccount
setspn -A HOST/webserver01.domain.com DOMAIN\IIS_ServiceAccount
When facing authentication problems:
- Ensure both short (NETBIOS) and FQDN SPNs are registered
- Verify SPNs are assigned to the correct service account
- Check for duplicate SPNs with
setspn -X - Remember that HOST SPNs have lower precedence than protocol-specific SPNs
While convenient, HOST SPNs present some security considerations:
- They're broader in scope than protocol-specific SPNs
- May expose services you didn't intend to expose
- Can lead to ticket forwarding concerns in some scenarios
Best practice is to register protocol-specific SPNs even when HOST SPNs exist.
When configuring Kerberos for IIS, most administrators are familiar with registering protocol-specific SPNs like HTTP/machine. However, you might notice that IIS automatically registers HOST/machine during installation for kernel-mode authentication. This raises several technical questions about SPN resolution in Windows authentication.
In Windows Kerberos implementation, HOST serves as a special service class that acts as a wildcard for multiple services. When a client requests a service ticket, the KDC (Key Distribution Center) will match against both protocol-specific SPNs and the HOST SPN if available.
// Example SPN registration commands
setspn -A HTTP/webserver.domain.com WebAppPoolAccount
setspn -A HOST/webserver.domain.com WebAppPoolAccountWhen a client requests a service ticket using a specific SPN (like HTTP/webserver), the KDC checks for matches in this order:
- Exact protocol-specific SPN (HTTP/webserver)
- HOST/webserver (if no exact match exists)
- Any other registered SPNs for the same account
IIS leverages HOST/machine for kernel-mode authentication because:
- It covers multiple protocols (HTTP, RPC, etc.)
- Provides fallback authentication when protocol-specific SPNs aren't registered
- Works with constrained delegation scenarios
- Simplifies configuration for services running under machine accounts
When debugging Kerberos authentication issues, remember that:
klist get HTTP/webserver.domain.com
# Might actually use HOST/webserver.domain.com if HTTP SPN not foundYou can verify registered SPNs using:
setspn -L webserver$
# Or for a specific account:
setspn -L DOMAIN\WebAppPoolAccountIn constrained delegation setups, the HOST SPN becomes particularly important. Here's how you might configure it:
# Using AD PowerShell module:
Set-ADComputer -Identity webserver -Add @{
'msDS-AllowedToDelegateTo' = @('HOST/database.domain.com')
}