I remember the first time I saw the acronym SPN when I were introduced to WCF some years ago.
After reading the article in MSDN I didn't feel better. What is a ServicePrincipalName?
The way I usually think now (and I apologize for you that don't know the DNS lingo) is that it is conceptually the same as a CNAME record.
A SPN is nothing more fancy than an alias (or pointer) for a domain account, e.g.
HTTP/HRWeb is an alias for the domain account MyDomain\HRWebAct
You can have more than one SPN pointing to the same domain account:
HTTP/HRWeb2 is also an alias for the domain account MyDomain\HRWebAct
In fact, the SPN: "HTTP/HRWeb" is an entry in the attribute servicePrincipalName for the account HRWebAct in the Windows Active Directory Domain MyDomain.com §
The next obviously question would be: why do you need an alias?
The answer to that is a bit longer, and this is the beginning of the journey into the mystery of Kerberos.
Let me start with a little quiz that illustrates the complexity of Kerberos and the reason why people shy away from using Kerberos. The quiz is based on a real customer experience but sanitized to protect the customer identity.
(The following could also be a question in a certification test in Windows and Kerberos).
Then (as usual for this kind of certification test) a list of what you are doing to solve this requirement:
Will this list of action satisfy the requirement? [Yes / No ]
I will supply the answer and explanations to the question in my next post. Feel free to comment with your answer and explanation.
§ I am very well aware that you can use Kerberos in other environment that Windows. I may come back to that topic another day.