Why the SPN can't be arbitrary

ZongtianHou zongtianhou at icloud.com
Sun Jun 24 00:27:09 EDT 2018


Hello, everyone:
I have some questions for the auth process. When the user get the tgt, it then send a request to the TGS in which it tell TGS the service principal it want to access. I have two questions here. First, how does the user know the service principal, I think it only know the service it want to access. Second, why the SPN must be service/FQDN at REALM.COM, if the user know the service principal, like aaa at REALM.COM. it just request a ticket for it, then send the ticket to the service, then it can access to it. What I misunderstood here?


More information about the Kerberos mailing list