A service principal name is the name by which a client uniquely identifies an
instance of a service, and is associated with the security principal (user, host, or service
in a realm) in whose security context the service executes.
Even if you are running multiple child domains, you only need to define the service
principal for the parent domain. This DHCP service principal defined at the parent
domain level will be used across the child domains.
To define a DHCP service principal for a Kerberos Realm:
-
Select the Global tab in the sidebar, then select
Configurations.
-
Select the name of a configuration.
-
Select the Kerberos realms tab.
-
Select the name of a Kerberos realm.
-
Select the Kerberos service principals tab.
-
Select New.
-
On the General tab, set the name, key version number,
and password:
- Name—enter the name for the Kerberos service
principal defined in the User Logon name field in Windows configuration
section. The typical syntax for service principal names is
primary/instance. Primary is either a username or the
name of a service. Instance provides information that qualifies
the primary, such as describing the intended use of the credentials for
a user or the fully qualified hostname for a host. Example:
DHCP/dhcp1.bcn.com
- Key version number—enter the
msDS-KeyVersionNumber attribute value as displayed in ADSI
Edit on the Windows DC for the principal’s Kerberos key. If you
use the ktpass command, the key version number
(vno#) value can be found in the output .keytab
file.
- Password—enter the principal’s Kerberos password.
This is the AD user account password created on Windows DC.
-
On the KDCs tab, using the Override key
distribution centers field, select and add (+) one or
more key distribution centers to assign specific KDCs to the service principal.
If no KDC overrides are added here, all available KDCs are automatically
assigned in order.
-
In the Change control
section, add comments if required.
-
Select Create or Create and add
another.