[OpenAFS] Windows 2003 afs service keys info
John W. Sopko Jr.
sopko@cs.unc.edu
Thu, 25 Jan 2007 08:15:06 -0500
Marc Dionne wrote:
> John W. Sopko Jr. wrote:
>> Without more information I would
>> only be speculating on how Microsoft intends one to use the "setspn"
>> command. Having multiple service principles attached to a single account
>> name is confusing.
>
> Nothing to do with AFS, but "setspn" is useful even in a strictly Windows
> environment. I use it regularly in a couple of situations:
> - to allow kerberos authentication to work when accessing some services
> via a DNS alias. In this case you attach a SPN for each alias to the
> server's account.
> - to allow kerberos authentication to work with IIS when the associated
> pool is run with an account other than the standard local accounts (ex.
> Network Service). In this case SPNs for each server and any aliases are
> attached to the user account that runs the IIS pool.
>
> Marc
I am not a Windows admin but after researching it does appear that the
setspn command is more useful for a Windows environment. I did see
some Microsoft Tech notes about using setspn for IIS and SQL Server.
I believe that using the ktpass command with the -mapuser option is
probably the proper way to export keytabs to U/Linux services and
not use setspn at all.
--
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175