The Windows Security Support Provider Interface (SSPI) implementation requires that a client process use a Service Principal Name (SPN) to identify the server process that it is trying to authenticate. A JADE client process obtains the SPN of its database server from the
The simplest form of SPN is the server process account name, but this means that the server process account name must be disclosed to the client processes (that is, put in the JADE initialization file of the client process).
The standard structure for a Service Principal Name is as follows.
service-class/instance-name:port-number/service-name
The instance-name value is (usually) a fully qualified domain name. You can obtain further discussion of the SPN format in MSDN, by searching for the topic Service Principal Name.
A suggested layout for JADE database server SPNs is as follows.
"JadeDB/server-host-fully-qualified-domain-name/database-name"
The port-number value is not used.
The inconvenient problem with proper SPNs is that they must be predefined in the Active Directory by a domain administrator. The setSPN Windows command line tool performs the SPN updates.
The SPN is defined on the database server account. If there is more than one matching SPN in the directory (for example, multiple accounts have the same SPN defined), authentication fails. If the database server is run with another account, either the client nodes must use a different SPN, which is defined on the new account, or the SPN must be moved to the new account.
The account can have multiple SPNs defined, but some part of each SPN must be unique. For example, the account could have an SPN for a primary database and also one for a secondary (run on another host), so that in the case of a failover, no Active Directory (AD) changes are required.
Windows does not enforce the SPN structure. Authentication does not require that the server process is run on a machine that is registered for the host name instance-name. The SPN is just a search key to find the server process account.