Is "SPN advertisement" or well-known SPNs a security hole?

[Todd Stecher]

Once you go down that route (e.g. allowing SPNEGO to specify service  
principal), you no longer have mutual auth, because you no longer are  
connecting to precisely the server the client / client application  
specified.  You could be talking w/ whomever intercepted that traffic,  
and returned their SPN.



On Jan 14, 2008, at 1:57 PM, Srinivas Kakde wrote:

>
> This message says: From a security standpoint, allowing the server  
> to specify its
> service principal is a "bad idea".