theory behind unique SPNs
Nico Williams
nico at cryptonector.com
Fri Apr 24 17:21:15 EDT 2015
On Fri, Apr 24, 2015 at 04:46:55PM -0400, Greg Hudson wrote:
> On 04/24/2015 03:37 PM, Ben H wrote:
> > Why not simply use host/serverA.domain.com for both services?
>
> At a protocol level, it's to support privilege separation on the server.
> The CIFS server doesn't need access to the LDAP server key and vice versa.
And, to a lesser extent, to prevent users from getting redirected from
one service to another.
Nico
--
More information about the Kerberos
mailing list