Service Principal Name in Kerberos
- From: "Andrei Zakharov" <zandr@xxxxxxxxxxxxxxxx>
- Date: Fri, 19 Oct 2007 20:21:22 +0400
Hi,
I have three-tier application, which consists of a client, an application
server and MS SQL server. Client and application server runs under domain
accounts. Also they both use impersonation with Kerberos. Plus, an account
under which application server runs on has 'Account is trusted for
delegation' turned on. So that as a net result MS SQL does authenticate a
user that runs a client. In order to work with Kerberos a client has to
specify Service Principal Name (SPN). In the present moment we do specify
Domain\AppServerUser that runs application server as an SPN.
1) Is that usage of SPN correct, i.e. SPN = Domain\AppServerUser?
2) What do we have to do in order to use SPN in the form, which is used in
case for IIS or Exchange? For example: OurServiceName/host.domain. And does
it actually need in contrast to the case when SPN = Domain\AppServerUser?
Thank you.
--
Andrei.
.
- Follow-Ups:
- RE: Service Principal Name in Kerberos
- From: "Jeffrey Tan[MSFT]"
- RE: Service Principal Name in Kerberos
- Prev by Date: RE: How do I set security for a printer for a logged
- Next by Date: SEC_WINNT_AUTH_IDENTITY_EX domain member question
- Previous by thread: How do I set security for a printer for a logged
- Next by thread: RE: Service Principal Name in Kerberos
- Index(es):
Relevant Pages
|
|
