[38266] in Kerberos
Why the SPN can't be arbitrary
daemon@ATHENA.MIT.EDU (ZongtianHou)
Sun Jun 24 00:27:35 2018
From: ZongtianHou <zongtianhou@icloud.com>
MIME-version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Message-id: <126AF4E5-4348-42A9-BD90-128226727998@icloud.com>
Date: Sun, 24 Jun 2018 12:27:09 +0800
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello, everyone:
I have some questions for the auth process. When the user get the tgt, it then send a request to the TGS in which it tell TGS the service principal it want to access. I have two questions here. First, how does the user know the service principal, I think it only know the service it want to access. Second, why the SPN must be service/FQDN@REALM.COM, if the user know the service principal, like aaa@REALM.COM. it just request a ticket for it, then send the ticket to the service, then it can access to it. What I misunderstood here?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
