theory behind unique SPNs
Greg Hudson
ghudson at mit.edu
Fri Apr 24 16:46:55 EDT 2015
On 04/24/2015 03:37 PM, Ben H wrote:
> Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server.
The CIFS server doesn't need access to the LDAP server key and vice versa.
Of course you only get this benefit if (a) the two services use
different keys, and (b) the two service implementations are sufficiently
isolated on the server host. In a normal AD deployment (as I understand
it) the first constraint isn't true, but the client shouldn't assume that.
More information about the Kerberos
mailing list