kerberos questions - Page 1

Chris Magnuson

Asked: 2012-01-18 12:16:01 +0800 CST

Can someone please explain Windows Service Principle Names (SPNs) without oversimplifying?

39

I have wrestled with service principle names a few times now and the Microsoft explanation is just not sufficient. I am configuring an IIS application to work on our domain and it looks like some of my issues are related to my need to configure http specific SPNs on the windows service account that is running the application pool hosting my site.

All this has made me realize I just don't fully get the relationship between service types (MSSQL, http, host, termsrv, wsman, etc.), Kerberos authentication, active directory computer accounts (PCName$), windows services accounts, SPNs, and the user account I am using to try and access a service.

Can someone please explain Windows Service Principle Names (SPNs) without oversimplifying the explanation?

Bonus points for a creative analogy that would resonate with a moderately experienced system administrator/developer.

PhilR

Asked: 2011-11-11 11:34:36 +0800 CST

How does Kerberos work with SSH?

22

Suppose I have four computers, Laptop, Server1, Server2, Kerberos server:

I log in using PuTTY or SSH from L to S1, giving my username / password
From S1 I then SSH to S2. No password is needed as Kerberos authenticates me

Describe all the important SSH and KRB5 protocol exchanges: "L sends username to S1", "K sends ... to S1" etc.

(This question is intended to be community-edited; please improve it for the non-expert reader.)

Infotekka

Asked: 2011-04-02 15:04:28 +0800 CST

Why use Kerberos instead of NTLM in IIS?

43

This is something that I've never really been able to answer as well as I like: What is the real advantage of using Kerberos authentication in IIS instead of NTLM?

I've seen a lot of people really struggle to get it set up (myself included) and I haven't been able to come up with a good reason for using it. There must be some pretty significant advantages though, otherwise it wouldn't be worth all the trouble to set it up, right?

NT332

Asked: 2010-05-09 11:14:35 +0800 CST

What is SASL/GSSAPI?

29

Numerous times i have met the expression SASL/GSSAPI. I have searched Google many times, but i simply do no understand what it is and how it relate to Kerberos.

Anybody that have a simple explanation on this?

sh-beta

Asked: 2009-06-05 17:53:15 +0800 CST

Authenticating OpenBSD against Active Directory

24

Edit: Reformatted this as Q&A. If anyone can change this from Community Wiki to a typical question, that's probably more appropriate as well.

How can I authenticate OpenBSD against Active Directory?

Can someone please explain Windows Service Principle Names (SPNs) without oversimplifying?

How does Kerberos work with SSH?

Why use Kerberos instead of NTLM in IIS?

What is SASL/GSSAPI?

Authenticating OpenBSD against Active Directory

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Questions[kerberos](server)