According to Microsoft's documentation: A service principal name (SPN) is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account. Doing so allows a client application to request service authentication for an account even if the client doesn't have the account name.
Canaries use these SPN records to better mimic live servers that expose services, further adding to their ability to lure in attackers. When you join your Canary to Active Directory these records will be automatically added if the creds used have sufficient privileges.
If the creds used do not have the correct privileges, you can manually create records as needed using the setspn tool.
As an example, let's consider our setup as follows:
- Our Domain is corp.thinkst.com
- We have a Canary (srv01) that is running MSSQL and LDAP services
Now, if we need to manually create SPN records for this Canary, we would open powershell and run the following:
setspn -a MSSQLSvc/srv01.corp.thinkst.com srv01
setspn -a TERMSRV/srv01.corp.thinkst.com srv01
We can now view our new records by running:
setspn -Q */*srv01
See Microsoft's documentation on setspn for more.