Re: kerberos tickets and the SPNs

On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert@xxxxxxx> wrote:

I deleted the computer object in AD, waited for the replication to
complete and then re-added the AD object.  Now the SPN appears as


Note that the MS documentation says to add a "user" account, not a
"computer"
account. (Sounds counterintuitive...)

http://technet.microsoft.com/en-us/library/bb742433.aspx

 To configure the UNIX hosts

  Use the Active Directory Management tool to create a new user account for
the UNIX host:

  Select the Users folder, right-click and select New, then choose user.

  Type the name of the UNIX host.

(Last line is pick a unique name in the forest for the account, i.e. uses as
SamAccountName (without the $) so must be 19 characters. Use some
convention,
like host-name-dept where is h short for host, name is the simple host name,
and dept. (We have department DNS domains, but the AD is is site wide.)

The ktpass then *ADDS* the SPN to the user account using the -principal
option.
I am pretty sure if you create a "computer" account, the SPN gets added
during account creation, and that is why you are seeing the uppercase HOST.

This is obviously is not what happens when you use Solaris adjoin.sh
(adjoin-s10u5) or Samba's net ads join' command. Both of these
approaches create a computer object specifically. The interesting
behavior is adjoin.sh creates the computer object with one specific
SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with
all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
create one. Mind you, I'm using Sun natively packaged Samba. Where
as I can clearly see the UPN with adjoin.sh, the one I created with
net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The
adjoin literally uses ldapadd to add the host to computers
container....

Alright, I digress....back to Kerberos. I didnt get around the
problem. So I'm going to install a Linux server and see how I fare.

.

Relevant Pages

  • Re: kerberos tickets and the SPNs
    ... Use the Active Directory Management tool to create a new user account for ... Type the name of the UNIX host. ... The ktpass then *ADDS* the SPN to the user account using the -principal ...
    (comp.protocols.kerberos)
  • Re: kerberos tickets and the SPNs
    ... have clients requesting HOST/fqdn just use the above method to add a second ... Now the SPN appears as ... Use the Active Directory Management tool to create a new user account for the UNIX host: ... Type the name of the UNIX host. ...
    (comp.protocols.kerberos)
  • RE: Cant access SOME sites on one particular XP account on TWO PC
    ... # be placed in the first column followed by the corresponding host name. ... Can I email you a screen shot of all the host*.* files from one of the PCs ... "nass" wrote: ... Remember that ONE account on the PC it works fine on BOTH accounts. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: Cant access SOME sites on one particular XP account on TWO PC
    ... "nass" wrote: ... # be placed in the first column followed by the corresponding host name. ... Can I email you a screen shot of all the host*.* files from one of the PCs ... Remember that ONE account on the PC it works fine on BOTH accounts. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Chad Gross companyweb wss3 & SQL2000
    ... the 'IIS Web Site' is correct. ... The load balanced URL should be the same as the name of the host header you gave, ... Create a new domain user, give it a password and then make that user account, a member of the IIS_WPG and WSS_ADMIN_WPG security groups. ... The database content will be created for you automatically. ...
    (microsoft.public.windows.server.sbs)
Loading