second keytab for similar service (but different SPN/IP) breaks the first

[Michael B Allen]

On Tue, Jun 2, 2009 at 7:12 PM, Chris <chriscorbell at gmail.com> wrote:
> So it seems that with both Active Directory's Kerberos and Open
> Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> kerberized on different IP addresses against distinct SPN's associated
> with the same service account..

You really should create separate service accounts for each instance
of the service. In theory you might be able to shoehorn it so that two
instances of the service can use the same service account but the
convention is to simply create a separate account for each instance of
the service.

As for why it's failing, it's not clear from your description. But if
you use ktpass.exe for example, I don't think you can generate a
keytab file with multiple keys (for each SPN) so whenever you set the
password using ktpass that will immediately invalidate any previously
generated keytab.

> but there are numerous examples on
> the web of this being done e.g. with a single "http" account and
> multiple "http/ip-addr..." SPN's for multiple web servers on your
> network.

But they're for the same service instance. So one service -> one
service account.

> Am I right in thinking what I'm trying should be possible, and if so
> is there some nuance of generating the keytab that I'm not following
> that causes the first keytab to stop working?

In theory I think you might be able to generate a single keytab file
that has all of the required SPNs. But you would have to use something
like ktutil and set the password separately on Windows using the
conventional way and not ktpass and also manually add the SPNs. It's
probably not worth it. And you might not even be able to do it. One of
the Kerberos gurus might be able to tell you how.

Again, just create separate accounts and be done with it.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/