Re: format of service principal name (SPN)
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sun, 30 Apr 2006 14:15:11 -0400
ADSIEDIT should be allowing it, I can't speak to DsWriteAccountSpn.
I justed used my own admod (simple LDAP mod tool) to set an SPN with spaces in both the service name and service class.
G:\TEMP>adfind -default -f name=someuser serviceprincipalname
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=someuser,OU=TestOU,DC=joe,DC=com
>servicePrincipalName: this is a test/test@xxxxxxxxxxxxxx/this is a test2
1 Objects returned
The directory uses DsCrackSpn to check the SPN prior to setting it, if it doesn't pass the DsCrackSpn check (i.e. status!=ERROR_SUCCESS) it will not allow the change.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
johnny wrote:
The application registers the spn by calling DsGetSpn followed by DsWriteAccountSpn. We have also tried setting it with ADSI edit..
Shakti
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:e$Z5z7saGHA.4416@xxxxxxxxxxxxxxxxxxxxxxxHow exactly are you trying to set them.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Johnny wrote:Thanks for the response. Yes this is in reference to Kerberos entities. The SPN allows
us to use the syntax I mentioned but for some reason it does not work with spaces in the servicename part (which accroding to docmumentation can be the distinguished name or ldap name of the service). Delegation of impersonated credentials to a remote server fails because the remote server receives the "anonymous logon" credential.
Thanks for any help
Shakti
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:%23anIGyNaGHA.3740@xxxxxxxxxxxxxxxxxxxxxxxSPNs are Kerberos entities and they make use the the Kerberos
canonical name. The distinguished names you mention sound like
Ldap names.
"Johnny" <prem14@xxxxxxx> wrote in message news:%23uSzc4GaGHA.1204@xxxxxxxxxxxxxxxxxxxxxxxHello,
We need to set up the service principal name for a service in this format
<class>/<host:port>/<service name>
we provide the distinguished name of the service in question. However we found that this cannot have spaces in them. Surely distinguished names of objects can have spaces in them. Can you suggest a solution to this. If we use object guid what format do we enter that?
Thanks
Shakti
- References:
- format of service principal name (SPN)
- From: Johnny
- Re: format of service principal name (SPN)
- From: Roger Abell [MVP]
- Re: format of service principal name (SPN)
- From: Johnny
- Re: format of service principal name (SPN)
- From: Joe Richards [MVP]
- Re: format of service principal name (SPN)
- From: johnny
- format of service principal name (SPN)
- Prev by Date: Re: Domain Users to have Local Admin rights
- Previous by thread: Re: format of service principal name (SPN)
- Next by thread: AD administrators and domain admins groups
- Index(es):
Relevant Pages
|
