List Forest SPN Mappings

I was helping a customer setup Kerberos delegation the other day. After all these years, the specifics of this topic still seems to create uncertainty.

Eventually, the conversation turned to the SPN-Mappings attribute. This little beauty can be found on the Directory Services NTDSService object in the configuration partition. It allows the "host/..." SPN of a computer to represent any service running on that computer, i.e. if the SPN for a particular service is missing, the "host/..." SPN acts as a substitute.

For example, "http/HALOMEM01" is missing. The SPN-Mappings attribute has an entry for "http". Consequently, "host/HALOMEM01" can be used to find the "http" service.

We then used PowerShell to dump out the contents of SPN-Mappings.

 

 
(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=HALO,DC=NET" -properties sPNMappings).sPNMappings -split "," | Sort-Object

 

capture188

 

I've always wondered about oakley... answers on a postcard!