Is Host truly representing everything within Windows SPN specs?


Although in our mind we know if machine joined to the AD domain, it will by default register two records by default HOST/NetBIOSName and HOST/FQDN, and we also know those two SPN represent various services principal names following something called catch-all mechanism.

That means if a Windows client wants to access the SMB share, it could ask KDC to get this machine’s SPN as cifs/FQDN format, if they want to access web services(we assume the machine provide this service), it could ask KDC to get this machine’s SPN as http/FQDN format.

But do you have the inner voice echoing which passage I based upon, at least I ask myself this question and spent half day searching for the source of the catch-all mechanism, however, I could find nothing from Microsoft official website to decipher how/when/why it works 🙁

There are some of SPN reference I can find from Microsoft:

Microsoft Developer Network – SPN :

Service Principal Names Nutshell :


Finally and Luckily, I found a tool to validate my viewpoints about the host service class map to lots of services if that machine plays a role as.


For Windows 2008 R2:




For Windows 2012 R2:




The Useful adfind tool downloaded from URL the SPN mappings tools.


Referenced Links and documents:

Useful commands to locate duplicate SPN issues:

Event ID 11 in the System log of domain controllers


Use the LDP support tool


Before Windows 2012 machine could use is ldifde, it will dump the SPN for the forest to the text file for your reference.

> ldifde -f check_SPN.txt -t 3268 -d “” -l servicePrincipalName -r “(servicePrincipalName=HOST/mycomputer*)” -p subtree


Use the querySpn.vbs script in the Microsoft TechNet article.

 > cscript spnquery.vbs HOST/mycomputer* >check_SPN.txt

Below source code saved as spnquery.vbs


Kerberos errors in network captures

About Kerberos Principals and Keys





Leave a Reply

Your email address will not be published. Required fields are marked *