I was helping a customer setup Kerberos delegation the other day. After all these years, the specifics of this topic still seems to create uncertainty.
Eventually, the conversation turned to the SPN-Mappings attribute. This little beauty can be found on the Directory Services NTDSService object in the configuration partition. It allows the “host/…” SPN of a computer to represent any service running on that computer, i.e. if the SPN for a particular service is missing, the “host/…” SPN acts as a substitute.
For example, “http/HALOMEM01” is missing. The SPN-Mappings attribute has an entry for “http”. Consequently, “host/HALOMEM01” can be used to find the “http” service.
We then used PowerShell to dump out the contents of SPN-Mappings.
(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=HALO,DC=NET" -properties sPNMappings).sPNMappings -split "," | Sort-Object
I’ve always wondered about oakley… answers on a postcard!