Q: Where are SPNs stored in
Active Directory (AD)?
A: Each object has a servicePrincipal-
Name attribute, which is a multivalue
attribute in which all SPNs are stored.
You can use ADSI Edit to view the
attribute. If the SPN is for a machine’s
Local System account, the SPN would
be stored in the servicePrincipalName
attribute of the Computers account in
AD. You shouldn’t write to this value
directly. It should be updated only via
the DsWriteAccountSpn call (but you
can update it directly by using tools
such as ADSI Edit).
When a client requests a connection
to a service, the Key Distribution
Center (KDC) searches the forest for a
user or computer account for which
the SPN is registered. If the KDC finds
registration in more than one account,
the request for authentication fails,
indicating a rogue service registration.
—John Savill