Is "SPN advertisement" or well-known SPNs a security hole?

Todd Stecher tstecher at qwest.net
Mon Jan 14 17:36:31 EST 2008


Once you go down that route (e.g. allowing SPNEGO to specify service  
principal), you no longer have mutual auth, because you no longer are  
connecting to precisely the server the client / client application  
specified.  You could be talking w/ whomever intercepted that traffic,  
and returned their SPN.



On Jan 14, 2008, at 1:57 PM, Srinivas Kakde wrote:

>
> This message says: From a security standpoint, allowing the server  
> to specify its
> service principal is a "bad idea".




More information about the Kerberos mailing list