Service Principal Names
SPNs tie Kerberos service tickets to specific services and accounts. They enable single sign-on -- and they enable Kerberoasting.
A Service Principal Name (SPN) is a unique label that identifies a specific service on the network. For example, a web server or a SQL database each gets its own SPN that tells Active Directory which account is running that service. When you connect to a service, your computer uses the SPN to request a Kerberos ticket for it. SPNs are important because they make single sign-on work -- you do not have to enter your password for every service. However, SPNs are also important to attackers because any user in the domain can look up SPNs and request tickets for them, and then try to crack those tickets offline to discover the service account password.
At a conference, every booth has a name tag showing the company and the person staffing it (e.g., "Web Server - run by svc_web"). When you want to visit that booth, you give the conference organizer (KDC) the booth's name tag and get a pass (service ticket) for it. SPNs are those name tags: they uniquely identify a service and link it to the account running it. If someone can read the name tag, they can request a pass and try to forge their way in.
Key Takeaways
- SPNs uniquely identify services and map them to their AD account.
- Any authenticated user can query all SPNs and request service tickets.
- Kerberoasting cracks TGS tickets offline to recover service account passwords.
- gMSAs and AES-only Kerberos are the primary mitigations.
- RC4-encrypted tickets are significantly easier to crack than AES tickets.
Kerberoasting is one of the most common and effective attacks in Active Directory. Understanding SPNs is essential to understanding why this attack works and how to defend against it.