maximum effective length of attribute 'serviceprincipalname'

  • 271 Views
  • Last Post 13 May 2014
kbatlive posted this 07 May 2014

The schema has it defined with no upper limit - but I'm wondering if there is a undocumented limit. Since the data is stored in Unicode format, that requires (my understanding) basically 2 bytes for each character. I'm not seeing where there is an actual documented upper limit.

Running into a Kerberos issue - I'm wondering if we have reached the upper limit of the 'serviceprincipalname' attribute (the SPN's are not duplicated and are associated with the account...the issue happened once a few more SPN's were added to the same account). I don't have dsastat to determine exactly the length - but dumping the attribute and counting bytes (via notepad) shows it to be about 24K of entries - so doubling that to 48K should be fine if there was a 64K limit.

The account is used for both production and dev (yes, not ideal...but it is what it is - that is why there are hundreds of SPN's associated with it. They are changing that...but that is a slow processs.)

I know the msds-allowedtodelegateto has a 64K upper limit (used for constrained delegation) - and with the length of our FQDN domain name, we reach that length when we start getting 400-500 entries within in - ran across this with a WAN accelerator who has to register the system names/services (4 per system) into msds-A2D2 attribute to accelerate the traffic over the WAN).

Just wondering if someone else has run into a maximum length (entries) for serviceprincipalname.

Thanks in advance!

Ken

show

Order By: Standard | Newest | Votes
DonH posted this 08 May 2014

There's no limit on the size of a single SPN attribute value, but there is a
limit on the number of values. You can only have ~1300 values across all
non-linked attributes on an AD object (number from memory, could be
outdated). If you have "hundreds" of SPN values on a single object I would
be willing to bet that you have a couple other bloated attributes as well
and that that's the limit you're hitting. Time to do some cleanup or, even
better, to segregate production and development.

Don Hacherl

show

kbatlive posted this 08 May 2014

Thank you!  They have already started moving services (and SPN's) to other accounts...I think this will provide some additional insight. Thanks again!  (I'm kinda giddy[1] - another response from DonH to one of my questions! ) [1] although to be fair, my giddiness maybe related some medication I’m taking to clear up a lung condition J  I prefer to think otherwise.   

show

Tspring posted this 08 May 2014

Don’s memory is right on. We had a customer a few years ago who was using a single account as a service account. TI honestly don’t recall why this came up, but they had around 1300 SPNs in the serviceprincipalname

attr, which is around the maximum you can add.

 

The ambiguity regarding number is that SPNs may be differing length strings in the multi valued attribute so the total size will vary.

 

 

 



Tim



 

show

kbatlive posted this 13 May 2014

Tim…Thanks for the response.  I just used one of your blog links to an internal developer.  The SPN doesn’t have 1,300 entries on it (or approaching it yet) – so we may have something else going on L I used the link below to show the size of the A2D2 attribute for a different account (where using the same account for multiple sharepoint sites) – thankfully, they are only approaching 12K (dsastat output) for A2D2 – so they have some “room to grow”…but they are going to be implementing new accounts in the coming months…so that should eliminate that issue for them. Thanks again! http://blogs.technet.com/b/ad/archive/2008/12/19/too-much-of-a-good-thing.aspx   

show

Close