[36123] in Kerberos

home help back first fref pref prev next nref lref last post

Re: SPN syntax and multiple tickets

daemon@ATHENA.MIT.EDU (Ben H)
Wed May 14 19:29:24 2014

MIME-Version: 1.0
In-Reply-To: <CAAd7auZD4AtM9x2CFfO_StHp+dC77qVpyB87LFMOWWXJQNsmuQ@mail.gmail.com>
Date: Wed, 14 May 2014 18:29:08 -0500
Message-ID: <CAAd7auZiwK-ZKdsZgjkO0DYMkgudK+f4P7M40F0ZpsEJW8cyUQ@mail.gmail.com>
From: Ben H <bhendin@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I answered part of my question here:

http://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx

Is this replicable "service name" a Microsoft specific implementation, or
is their an equivalent concept for MIT KDCs?


On Wed, May 14, 2014 at 1:39 PM, Ben H <bhendin@gmail.com> wrote:

> Right now I'm experiencing this on my windows client connected to a
> Windows KDC, but have experienced it before on MIT clients - but am not
> seeing it now, and not sure how to recreate it....
>
> A Windows KDC (DC) registers many SPN records, among them:
>
>         ldap/SERVER/DOMAIN
>         ldap/{GUID}._msdcs.domain.local
>         ldap/SERVER.domain.local/DOMAIN
>         ldap/SERVER
>         ldap/SERVER.domain.local
>         ldap/SERVER.domain.local/domain.local
>
> I am currently seeing tickets on my client for both:
>
> ldap/SERVER.domain.local/domain.local @ DOMAIN.LOCAL
> and
> ldap/SERVER.domain.local @ DOMAIN.LOCAL
>
> I'm trying mostly to understand the syntax/terms to use in researching
> both what these multi-part SPNs are for (with the "/") as well as under
> what circumstances one would be chosen over the other.  I'm under the
> impression that the application is going to decide what SPN to query and if
> that's the case, then it is simply Microsoft choosing in some cases to use
> one over the other (seems pointless and redundant) - but as I've mentioned
> I am 95% sure I've seen these on my MIT clients in the past.
>
> Can someone provide any insight into what these non-standard multi-part
> SPNs are for and if they are acceptable in MITkerb?
>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post