Architectural Question ...

[Luke Howard]

>So you're suggesting that the common practice is to have a single principal
>for the box that identifies all services rather than separate principals
>for each service.

Under Windows 2000, which supports name canonicalisation, yes (the host
principal can be advertised as multiple service principal names).

>That would explain why the lesser priveleged service in your example didn't
>have it's own service key, and also why it would make sense that only some
>priveleged service have access to the one key. I don't quite get why the
>LSA has to visit the KDC if it has the service key ....

Me neither. Perhaps Microsoft originally intended services to be able to
manage their own keys, but still impersonate.

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com