Architectural Question ...
Tony Cowan
ttcowan at us.ibm.com
Thu Feb 6 18:41:30 EST 2003
Thanks for your help Luke.
Cheers,
Tc.
Tony Cowan - IBM SWG Services. (ttcowan at us.ibm.com)
Phone: (206) 675 0095 Cell: (206) 280 6942
There is no tomorrow. Only a succession of todays. Don't wait too long to
figure that out.
|---------+---------------------------->
| | Luke Howard |
| | <lukeh at PADL.COM> |
| | |
| | 02/06/2003 02:46 |
| | PM |
| | Please respond to|
| | lukeh |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: Tony Cowan/Pittsburgh/IBM at IBMUS |
| cc: kerberos at mit.edu |
| Subject: Re: Architectural Question ... |
| |
>---------------------------------------------------------------------------------------------------------------------------------------------|
>So you're suggesting that the common practice is to have a single
principal
>for the box that identifies all services rather than separate principals
>for each service.
Under Windows 2000, which supports name canonicalisation, yes (the host
principal can be advertised as multiple service principal names).
>That would explain why the lesser priveleged service in your example
didn't
>have it's own service key, and also why it would make sense that only some
>priveleged service have access to the one key. I don't quite get why the
>LSA has to visit the KDC if it has the service key ....
Me neither. Perhaps Microsoft originally intended services to be able to
manage their own keys, but still impersonate.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the Kerberos
mailing list