Kerberos Hostname Mapping for HTTP Server Ticket Requests

Chris Fields Chris.Fields at
Thu Mar 8 18:44:13 EST 2007

I am trying to get a Linux server with the krb5 libraries to talk to a
Windows 2000 domain (KDC) to provide tickets that allow the Linux web
server to grant access to HTTP URLs.  This works fine when the host name
in the URL matches the host name of the Linux web server making the
request for the ticket (e.g. HTTP://linuxserver/index.html where
"linuxserver" is the host name of the server making the Kerberos
requests for a ticket)
We have a Windows account matching the Linux host name and mapped to a
Kerberos principal with HTTP/linuxserver at as the principal
name.  This all works fine.  It breaks when we try to access an HTTP URL
with a different hostname (e.g. HTTP://server2/index.html) but it is
hosted on the same server.  How does the Linux host name come into play
when the Linux server is requesting a ticket from the Windows KDC?  Is
Windows Kerberos only going to allow that Linux server to grant tickets
to HTTP applications with the Linux server as the host name in the HTTP
Thanks for your help. 

More information about the krbdev mailing list