Category Archives: Authentication

Is Host truly representing everything within Windows SPN specs?

Published / by Chen Ye / Leave a Comment


Although in our mind we know if machine joined to the AD domain, it will by default register two records by default HOST/NetBIOSName and HOST/FQDN, and we also know those two SPN represent various services principal names following something called catch-all mechanism.

That means if a Windows client wants to access the SMB share, it could ask KDC to get this machine’s SPN as cifs/FQDN format, if they want to access web services(we assume the machine provide this service), it could ask KDC to get this machine’s SPN as http/FQDN format.

But do you have the inner voice echoing which passage I based upon, at least I ask myself this question and spent half day searching for the source of the catch-all mechanism, however, I could find nothing from Microsoft official website to decipher how/when/why it works 🙁

Continue reading