Posts Kerberos keytab part-2

Kerberos keytab part-2

Add HTTP principal to service account

If the below microsoft official document feels complicated, then scroll down.

An SPN is the name by which a client uniquely identifies an instance of a service.

If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN.

A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication.

  • The HTTP service class

The HTTP service class differs from the HTTP protocol.

Both the HTTP protocol and the HTTPS protocol use the HTTP service class.

Be aware that the SPN syntax uses a forward slash character (/) to separate elements.

Therefore, the forward slash character (/) cannot appear in a service class name.

  • The HOST service and the HTTP service class

The Kerberos protocol uses the HOST SPN to access the host computer.

The Kerberos protocol uses the long-term key on the host computer to create a service ticket.

The HTTP service class is one of the built-in services that act as an alias to the HOST SPN.

The HOST SPN is mapped to the host computer account.

Therefore, when you use the default HTTP service class, the Kerberos protocol uses the computer account as the service account to request a service ticket.

  • What all this really means?

See from previous post we received:

Domain Name

Service Account Name

Service Account Password

Now we want to enable kerberos or auto login to a website.

This website will have a fully qualified domain name, example:



So now let us add this website name to the service account.

For this ask system administrator to run the below commands.

  • Command to add dev and test environment fully qualified domain name to domain\serviceaccount
$ setspn -S HTTP:/local-dev-environment.domain dummydomain\myserviceaccount

$ setspn -S HTTP:/local-test-environment.domain dummydomain\myserviceaccount

Now this HTTP:/fully qualified domain name is known as HTTP principal

  • Command to view that link has been done correctly
$ setspn -L dummydomain\myserviceaccount

  • Command to delete the link

In case of mistake during linking, link can be deleted using the below command

$ setspn -D HTTP:/local-dev-environment.domain dummydomain\myserviceaccount
This post is licensed under CC BY 4.0 by the author.