Is "SPN advertisement" or well-known SPNs a security hole?
Todd Stecher
tstecher at qwest.net
Mon Jan 14 17:36:31 EST 2008
Once you go down that route (e.g. allowing SPNEGO to specify service
principal), you no longer have mutual auth, because you no longer are
connecting to precisely the server the client / client application
specified. You could be talking w/ whomever intercepted that traffic,
and returned their SPN.
On Jan 14, 2008, at 1:57 PM, Srinivas Kakde wrote:
>
> This message says: From a security standpoint, allowing the server
> to specify its
> service principal is a "bad idea".
More information about the Kerberos
mailing list