Name types for SPN of form HTTP/

Greg Hudson ghudson at MIT.EDU
Mon Dec 2 11:53:07 EST 2013

On 12/02/2013 01:00 AM, Arpit Srivastava wrote:
> Thanks Roland
> What abt localhost appended at the end ?

When you use GSS_C_NT_HOSTBASED_SERVICE, the krb5 mech expects to see a
name of the form "service at host" or "service".  Since your name does not
contain any '@' character, "HTTP/" is taken as the
service name (which doesn't make sense, but the mech isn't smart enough
to know that) and the canonicalized form of localhost is used as the
hostname.  That's why you wind up with HTTP/

You have two options:

1. Pass in a GSS_C_NT_HOSTBASED_SERVICE name of "HTTP at".

2. Pass in a GSS_KRB5_NT_PRINCIPAL_NAME name of "HTTP/".

In the first case, will be canonicalized.  In the second,
it will not.

More information about the Kerberos mailing list