Use of SPNs

Discussion in 'Server Security' started by Danny Cooper, Nov 5, 2004.

  1. Danny Cooper

    Danny Cooper Guest

    Can someone explain SPNs and delegation restrictions to me please.

    I have a Windows Server 2003 AD in forest and domain 2003 Native

    In that I have a service (Backup Exec in this case) that does not
    normally use SPNs, and uses a single account for its services.

    I create an SPN on the account to use for the Backup Exec service.

    The "Delegation" page now appears in ADUC when viewing the Properties
    of the Backup Exec service account

    I set the delegation restriction to be for the selected SPN on the
    user account, kerberos authentication only.

    I confirm that I can stop and start the services of Backup Exec fine.

    But... any other services can also logon as the account - why?

    If I set the Delegation page option for the account cannot be
    delegated, all services continue to be able to logon using the account
    - including Backup Exec

    If I also set the attribute for "account is sensitive and cannot be
    delegated" on the Account page of the account in ADUC, again services
    can continue to logon as the account as they like.

    How can I get SPN delegation restrictions to actually do something?


    Danny Cooper.
    Danny Cooper, Nov 5, 2004
    1. Advertisements

  2. Danny Cooper

    Roger Abell Guest


    SPN is a name mapping technique defined in the Kerberos GSS
    (General Security Service) technology. Since Backup Exec does
    not, as you say, use SPNs defining an SPN for the account used for
    the Backup Exec service(s) will have no effect (i.e. Backup Exec
    is not written as a Kerberos aware application). If you want to
    understand SPNs you can look these up in any decent reference
    for Kerberos. Since Windows names do not have the same form
    as defined for services in a Kerberos realm SPNs are needed in
    a Windows AD system for all accounts used for Kerberos based
    services to establish the "aliasing" for the Windows principal to
    its naming in Kerberos-speak. SPNs in a Unix based Kerberos
    realm are used for similar "aliasing" situations where defaults
    will not allow correct location of the service based on the name
    of the principal.

    When you have defined a Windows account with sufficient rights
    that it may be used as the service account for Backup Exec, it is
    not surprising that this same account can be used for a number of
    other services. That is, since that account is configured with needed
    rights (like log on as a service) so that the account is enabled to
    register service instances at startup, so it would work also for other
    services unless it does not have access to some needed resources
    (service specific files, enterprise components, etc..) or attempts
    things only allowed to the Administrators group (or to System).

    Enabling an account for delegation is saying that the account can
    assume the credentials of another account, if that account allows
    the impersonation. Saying an account is sensitive and cannot be
    delegated is flagging that account so that it cannot be impersonated
    by an account that has been trusted for delegation. These are
    independent from, but usable together with, Kerberos, and so with
    "Kerberized" services.
    Roger Abell, Nov 6, 2004
    1. Advertisements

  3. Danny Cooper

    Danny Cooper Guest

    Ah, thank.On the Microsoft papers there is great play on the new
    constrained delegation feature, but almost no practical example of its
    use outside of IIS and SQL Server - hence why I was experimenting.
    Danny Cooper, Nov 8, 2004
  4. Right, constrained delegation (as compared to prior all or
    none grants) is a much needed improvement.
    Of course, if you are dealing with a software that does not
    do any impersonating it is impossible to use it to explore this.
    Roger Abell [MVP], Nov 9, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.