Service principal name attributes for HCP

When you enable Active Directory (AD) support in HCP, HCP adds values to the service principal name (SPN) attribute of the HCP computer account in AD.

The initial values that HCP adds to the SPN attribute of the computer account in AD are:

  • System Management Console
  • Default tenant
  • Search Console
  • Each node in the HCP system

Subsequently, values are added for:

  • Each tenant that supports AD authentication
  • Each namespace that has both the HTTP protocol and AD single sign-on enabled
  • Each node added to the HCP system

Each object for which an SPN value is created is referred to as a single sign-on location. If a single sign-on location for a tenant, namespace, or node is removed from the system, the value for that location is removed from the SPN attribute of the HCP computer account in AD.

AD has a size limit on values that applies to the SPN attribute. Any system-level operation in HCP that causes this limit to be exceeded fails with a message indicating that the failure is related to the number of single sign-on locations. Any tenant-level operation that causes this lmit to be exceeded fails with a message indicating that single sign-on cannot be enabled.

ImportantActive Directory imposes a practical limit of 1200 SPN values for a given AD object. When a tenant is created with AD enabled, HCP creates a SPN value corresponding to that tenant. Additionally, HCP creates a SPN value for each namespace created on the tenant. Because both the tenant and namespace SPN values are registered to the same AD object, the total number of AD enabled tenants plus their namespaces across the entire cluster must be less than 1200.