[OpenAFS] Windows 2003 afs service keys info

Marc Dionne marc.dionne@technoconseil.com
Wed, 24 Jan 2007 14:02:56 -0500 (EST)


John W. Sopko Jr. wrote:
> Without more information I would
> only be speculating on how Microsoft intends one to use the "setspn"
> command. Having multiple service principles attached to a single account
> name is confusing.

Nothing to do with AFS, but "setspn" is useful even in a strictly Windows
environment.  I use it regularly in a couple of situations:
- to allow kerberos authentication to work when accessing some services
via a DNS alias.  In this case you attach a SPN for each alias to the
server's account.
- to allow kerberos authentication to work with IIS when the associated
pool is  run with an account other than the standard local accounts (ex.
Network Service).  In this case SPNs for each server and any aliases are
attached to the user account that runs the IIS pool.

Marc