A service principal name is the name by which a client uniquely identifies an
instance of a service, and is associated with the security principal (user, host, or service
in a realm) in whose security context the service executes.
Even if you are running multiple child domains, you only need to define the service
principal for the parent domain. This DHCP service principal defined at the parent
domain level will be used across the child domains.
To define a DHCP service principal for a Kerberos Realm:
-
From the configuration drop-down menu, select a configuration.
-
Select one of the following tabs: IP Space,
DNS, Devices,
TFTP, or Servers. Tabs
remember the page you last worked on, so select the tab again to ensure
you're on the Configuration information page.
-
Select the Kerberos Realms tab. Under
Kerberos Realms, click the name of a Kerberos
realm.
-
Click the Service Principals tab and click
New.
-
Under General, set the name, key version number, and
password:
- Name—enter the name for the Kerberos service
principal defined in the User Logon name field in Windows configuration
section. The typical syntax for service principal names is
primary/instance. Primary is either a username or the
name of a service. Instance provides information that qualifies
the primary, such as describing the intended use of the credentials for
a user or the fully qualified hostname for a host. Example:
DHCP/dhcp1.bcn.com
- Key Version Number—enter the
msDS-KeyVersionNumber attribute value as displayed in ADSI
Edit on the Windows DC for the principal’s Kerberos key. If you
use the ktpass command, the key version number
(vno#) value can be found in the output .keytab
file.
- Password—enter the principal’s Kerberos password.
This is the AD user account password created on Windows DC.
-
Under KDCs, select the Override Realm KDCs check box if
you want to assign specific KDCs to the service principal. Deselect the check
box to have all available KDCs automatically assigned in order.
-
Under Change
Control, add comments, if required.
-
Click Add.