Do services run as the computer user under AD

From: Tony Lill (ajlill@tardis.ajlc.waterloo.on.ca)
Date: 12/12/01 

From: Tony Lill <ajlill@tardis.ajlc.waterloo.on.ca>
Date: Wed, 12 Dec 2001 04:03:06 GMT

We are looking to port a kerberos application to 2k and AD. We would
need to have a service on each box that would authenticate itself to
another service using SSPI, and we need it to authenticate as the
computer rather than a human user.

If you run AcquireCredentialsHandle from a service and don't try to
borrow a logged in users id, what is the pricipal that you get? Can
you request a service principal like foo/hostname@REALM, and then use
it in an InitializeSecurityContext call? 

--
Tony Lill,                         Tony.Lill@AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------

Relevant Pages

  • Re: Windows GSSAPI ssh connection via cross-realm authentication problems
    ... I think you misunderstand the role of Kerberos here. ... If the SSH service is in realm ... The non-Windows KDC needs to trust any user ... kdcadmin user's home directory and that one can authenticate just fine. ...
    (comp.protocols.kerberos)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... >From what I can tell the kerberos failure shown in netdiag does not always ... mean that kerberos authentication is not being used. ... computer for logon events and the domain controller for account logon events ... > authenticate with K after initial failures. ...
    (microsoft.public.windows.server.security)
  • OpenSSH, Kerberos, GSSAPI, and windows clients
    ... My FreeBSD is happy authenticate from itself to itself via its own KDC. ... backport of Simon Wilkinson's gssapi patch. ... downloaded WinSCP 375 beta which claims to have SSH2/MIT Kerberos V ...
    (SSH)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... Kerberos errors are actually related for some reason. ... System account to run the ADAM instance or a fixed service account? ... you can see that the machine credentials are authenticated ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory SSL
    ... SSL/LDAP port and can't be changed. ... My recommendation is that if you just want to authenticate a user, ... as the name must match the DC certificate to make a successful SSL ... Dim oRoot As DirectoryEntry = New DirectoryEntry(_path, ...
    (microsoft.public.dotnet.framework.aspnet.security)