confusion with service principal names in Active Directory

Michael B Allen ioplex at gmail.com
Mon Mar 30 14:23:53 EDT 2009


On Mon, Mar 30, 2009 at 1:23 PM, John Jasen <jjasen at realityfailure.org> wrote:
> Paul Moore wrote:
>> use adsiedit (GUI) to set the spn on the AD rpincipal
>> or setspn cli tool
>
> I don't think that's the problem. The SPN is listed in Active Directory,
> and can be queried through ldapsearch, listed via setspn, seen through
> ADSIedit or jxplorer, etc. Its definitely in there, just stock kerberos
> doesn't see it for some reason.

Make sure that you do not have the same SPN set on more than one
account. If you do, AD will consider the request ambigous and it will
NOT grant a ticket for that SPN.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the Kerberos mailing list