Information Technology Reference
In-Depth Information
Another kind of service account is the
virtual account
. Virtual accounts require no con-
figuration to access local resources. To use a virtual account for a service, simply enter
NT SERVICE\<ServiceName>
for the account name, and leave the password blank.
Virtual accounts can be used for services that require network access, but it isn't recom-
mended. To give the virtual accounts access to network resources, you need to give the
computer account for the computer where the service is located permission to access the
resource. Instead, it's recommended to use gMSAs for services that require network access.
You can use virtual accounts with IIS. The user is called IIS AppPool\<
apppoolname
> (for
example, IIS AppPool\DefaultAppPool).
A service principal name (SPN) is the name by which a client uniquely identifies an instance of
a service. If there are multiple instances of a service on computers throughout a forest, each
instance must have its own SPN. One service instance can have multiple SPNs where there are
multiple names that clients might use for authentication. For example, an SPN always includes
the name of the host computer on which the service instance is running, so a service instance
might register an SPN for each name or alias of its host.
SPNs are of the format:
serviceclass/host:port servicename
where
serviceclass
and
host
are required, but
port
and
service
name are optional. The colon between
host
and
port
is only
required when a value for port is present.
The elements of an SPN are described in Table 5-2.
TABLE 5-2
The elements of an SPN
Element
Description
serviceclass
A string that identifies the general class of service; for example,
“SqlServer”. There are well-known service class names, such as “www”
for a Web service or “ldap” for a directory service. In general, this can
be any string that is unique to the service class. The SPN syntax uses
a forward slash (/) to separate elements, so this character cannot
appear in a service class name.
host
The name of the computer on which the service is running. This can
be a fully-qualified DNS name or a NetBIOS name. Be mindful that
NetBIOS names are not guaranteed to be unique in a forest, so an
SPN that contains a NetBIOS name may not be unique.
port
An optional TCP or UDP port number to distinguish between multiple
instances of the same service class on a single host computer. Omit
this element if the service uses the default port for its service class.
