Kerberos auth against AD, keytabs, and service principal names

Douglas E. Engert deengert at
Mon Jul 20 16:10:51 EDT 2009

kerberos at wrote:
> On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert at> wrote:
> [snip
>> A keytab has the SPN and the key.
> I know this much as I've been writing out my own keytabs.  :-)
>> When you kinit using a keytab to AD, you are using the SPN, but AD
>> is looking it up as a UPN.
> So this means servicePrincipalName is effectively useless in AD for
> non-Windows systems, right 

No. Its is useless if you are trying to do a kinit, but not
if you want host/FQDN, HTTP/FQDN and ldap/FQDN to be the same for use
as service principals.

As Michael Allen said:
"Ktpass is a very simple program and cannot be used for what you are doing."

-- in particular when you have X number of
> principals in a keytab but only the one that matches the UPN will
> work?
> That's all I'm really trying to determine before...
>>>  Is the only solution to have multiple AD entries, one for each SPN you intend to support?
>> That may not be so bad, as you may want different keys for different
>> principals. Just have a good account name naming convention for all
>> these accounts.
> ... I try to implement the above.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list