Name types for SPN of form HTTP/webserver.example.com
Arpit Srivastava
arpit.orb at gmail.com
Fri Nov 29 07:52:30 EST 2013
Hi,
I am using gss_import_name API for generating principal name for SPN as
follows:
*gss_import_name *(min_status, nameBuffer, GSS*_C_NT_HOSTBASED_SERVICE*()
,gssPrincipalName)
If I pass the SPN of my service as HTTP/webserver.example.com at EXAMPLE.COM with
GSS*_C_NT_HOSTBASED_SERVICE*() - It works.
HOWEVER,
If I pass the SPN of my service as
HTTP/webserver.example.com<HTTP/webserver.example.com at EXAMPLE.COM>with
GSS
*_C_NT_HOSTBASED_SERVICE*() - It doesnt work. I can see in tcpdump that it
sends SPN in format
HTTP/webserver.example.com<HTTP/webserver.example.com at EXAMPLE.COM>/localhost.
Looks like it picking localhost (possibly from hosts file) when I have
krb5.conf provisioned. It should take the default realm name.
1. Which name type should I use for
HTTP/webserver.example.com<HTTP/webserver.example.com at EXAMPLE.COM>
kind
of principal names.
2. Actually I am getting server name from my service provider as
webserver.example.com (which is hosted on AD) and and I have to make my
client application form a pricipal name by itself. What I am doing is
that just appending HTTP/ infront of it. Is it correct way OR there can be
cases where we can't just guess SPN like this ? I guess browser does this
thing in similar manner. Is there any authority document for guidance ?
Cheers,
Arpit
More information about the Kerberos
mailing list