Let say our realm is CARS.LOCAL and I can't change it.
Would a principal like HTTP/[email protected] works?
In other words, our internet domain name doesn't match our realm and I would like to use our registered domain name with kerberos.
The server hosting portal.houses.com and acting as a kerberos client to auth users is server1.cars.local. Reverse dns lookup works for server1.cars.local.
But portal.houses.com resolves to an ip not matching server1.cars.local in a reverse dns lookup.
Is it possible to do what I want?
Would the only way be to have an A record for portal.houses.com using a static ip and make that ip ptr record point to portal.houses.com?
I'm using Active Directory as the kerberos server.
Reverse DNS doesn't apply here.
Browsers will canonicalize CNames to A records and use the A record as the requested SPN. If
portal.houses.comis a CName that the client resolves toserver1.cars.local, then the browser will request a ticket tohttp/server1.cars.localfrom the domain controller associated to the logged on user.The actual realm name doesn't matter. Kerberos is happy as long as there's an SPN registered on a service account.