Home / server / Questions / 579370
Accepted
jouell
Asked: 2014-03-03 18:06:32 +0800 CST

How does a Kerberos Client determine the Service Name portion of an SPN?

  • 772

If I deploy a server call FOO/host.example.com@myrealm how does a client become aware that the service name is FOO?

ENV: Unix / MIT kerberos 1.4 or 1.10

I see windows has some sort of mapping: How exactly does the HOST/machine SPN work?, what about unix?

kerberos

1 Answers

  1. Best Answer

    Usually the client is specific for the service FOO and the SPN syntax FOO/<hostname> would be hard-coded in the client application.

    You'll need to manually set up the correct SPN's for the services you're offering.

    Sometimes multiple services are grouped under the same SPN, for instance it is not uncommon to see both the actual webserver, apache, responding using the HTTP/host service principal name as well as an application server like Jboss or Websphere. This can be explained that often those services are accessed by the same type of client, i.e. a web browser.

    SSH and telnet for instance use HOST/<hostname> rather than a service specific SPN like SSH/<hostname>.

    If you set up Dovecot and offer both POP3 as well as IMAP access you'll need two SPN's one for each service/protocol, despite that it is only a single application.

    • 2