theory behind unique SPNs

Roland C. Dowdeswell elric at imrryr.org
Mon Apr 27 11:24:16 EDT 2015


On Sun, Apr 26, 2015 at 07:08:38AM -0500, Ben H wrote:
>

> Thanks all.  Continued appreciation for your contributions and guidance.

Although I am not sure if it influenced the original design decisions,
there are also some operational benefits.  At a lot of companies,
you may have different teams responsible for different services
running on the same hosts.  If they use different names then they
do not place constraints on each other.  This can become important
if the software uses different Kerberos libraries that, e.g. support
different encryption types.  Or if you are using JGSS and want to
do key rotation as JGSS does not re-read the keytab without restarting
a service---in this case, having separate names and hence keys
allows the different pieces of software to rotate their keys on a
separate schedule.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


More information about the Kerberos mailing list