SPN syntax and multiple tickets

[Ben H]

I answered part of my question here:

http://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx

Is this replicable "service name" a Microsoft specific implementation, or
is their an equivalent concept for MIT KDCs?


On Wed, May 14, 2014 at 1:39 PM, Ben H <bhendin at gmail.com> wrote:

> Right now I'm experiencing this on my windows client connected to a
> Windows KDC, but have experienced it before on MIT clients - but am not
> seeing it now, and not sure how to recreate it....
>
> A Windows KDC (DC) registers many SPN records, among them:
>
>         ldap/SERVER/DOMAIN
>         ldap/{GUID}._msdcs.domain.local
>         ldap/SERVER.domain.local/DOMAIN
>         ldap/SERVER
>         ldap/SERVER.domain.local
>         ldap/SERVER.domain.local/domain.local
>
> I am currently seeing tickets on my client for both:
>
> ldap/SERVER.domain.local/domain.local @ DOMAIN.LOCAL
> and
> ldap/SERVER.domain.local @ DOMAIN.LOCAL
>
> I'm trying mostly to understand the syntax/terms to use in researching
> both what these multi-part SPNs are for (with the "/") as well as under
> what circumstances one would be chosen over the other.  I'm under the
> impression that the application is going to decide what SPN to query and if
> that's the case, then it is simply Microsoft choosing in some cases to use
> one over the other (seems pointless and redundant) - but as I've mentioned
> I am 95% sure I've seen these on my MIT clients in the past.
>
> Can someone provide any insight into what these non-standard multi-part
> SPNs are for and if they are acceptable in MITkerb?
>