Re: kerberos tickets and the SPNs

On Sat, May 9, 2009 at 1:02 AM, Douglas E. Engert <deengert@xxxxxxx> wrote:


Ravi Channavajhala wrote:

On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert@xxxxxxx>
wrote:

Note that the MS documentation says to add a "user" account, not a
"computer"
account. (Sounds counterintuitive...)

http://technet.microsoft.com/en-us/library/bb742433.aspx

 To configure the UNIX hosts

 Use the Active Directory Management tool to create a new user account
for
the UNIX host:

 Select the Users folder, right-click and select New, then choose user.

 Type the name of the UNIX host.

(Last line is pick a unique name in the forest for the account, i.e. uses
as
SamAccountName (without the $) so must be 19 characters. Use some
convention,
like host-name-dept where is h short for host, name is the simple host
name,
and dept. (We have department DNS domains, but the AD is is site wide.)

The ktpass then *ADDS* the SPN to the user account using the -principal
option.
I am pretty sure if you create a "computer" account, the SPN gets added
during account creation, and that is why you are seeing the uppercase
HOST.

This is obviously is not what happens when you use Solaris adjoin.sh
(adjoin-s10u5) or Samba's net ads join' command.  Both of these
approaches create a computer object specifically.

The point I was making, is that the Microsoft create computer account may
be adding the HOST/hostname for you assuming it is going to be a Windows
computer. So ktpass does not change the case of trhe SPN if its already
set.

Don't agree here. Natively adding a computer to AD and checking with
setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
creates two entries

HOST/HOSTNAME$
HOST/HOSTNAME$.SHORTFORM DOMAIN

Both are incorrect....

The point is, I can manipulate SPNs to no end, but obviously no
success with Kerberos. My real issue is kerberos flip flopping with
'Server not found in Database' to 'Keytable entry incorrect Key
version'.

.

Relevant Pages

  • Re: kerberos tickets and the SPNs
    ... Use the Active Directory Management tool to create a new user account for ... Type the name of the UNIX host. ... The ktpass then *ADDS* the SPN to the user account using the -principal ...
    (comp.protocols.kerberos)
  • Re: Integrated Windows Authentication Timeout?
    ... I think you can probably fix that problem by adding the SPN that is being ... queried for to the account running the service. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation problems
    ... This sounds like an SPN problem. ... as a service account, did you add an SPN to that service account in AD that ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Ldap Binding + Kerbros error
    ... I was suggesting to perform an LDAP query using the exact filter a specified ... A servicePrincipalName (SPN) is the Kerberos name of a service on the ... server authenticates with the client. ... account that is used to execute the Windows process that "is" the service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Passwords
    ... "Windows Vista for Dummies" manual. ... I started by creating a test user account. ... The reason I say this is that, when I turned the Guest ...
    (microsoft.public.windows.vista.general)