[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames

Sreekanth Nadendla srenaden at microsoft.com
Wed Jun 8 19:52:22 UTC 2016

Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":"  ?

C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433   lvisser

C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1   lvisser

C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2   lvisser

C:\Users\Administrator>setspn -l lvisser

Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB:


You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2

But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Sreekanth Nadendla 
Sent: Saturday, May 28, 2016 9:22 PM
To: Stefan Metzmacher; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email
Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames

Hi Metze, I will be assisting you with your issue.


-----Original Message-----
From: Bryan Burgin 
Sent: Saturday, May 28, 2016 9:56 AM
To: Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames

[Dochelp to bcc]

Hi Metze

Thank you for your question.  We created SR 116052814221908 to track this issue.  An engineer will contact you soon.


-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames

Hi DocHelp,

we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.

We're rejecting them. As we didn't know about the :port part.
As MS-ADTS servicePrincipalName doesn't specify this optional part.

Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.

As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.

Can update the MS-ADTS servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.

https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:


That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be


It would be nice to get some hints what we have to implement.


More information about the cifs-protocol mailing list