[OpenAFS] Windows 2003 afs service keys info

John W. Sopko Jr. sopko@cs.unc.edu
Thu, 25 Jan 2007 08:15:06 -0500

Marc Dionne wrote:
> John W. Sopko Jr. wrote:
>> Without more information I would
>> only be speculating on how Microsoft intends one to use the "setspn"
>> command. Having multiple service principles attached to a single account
>> name is confusing.
> Nothing to do with AFS, but "setspn" is useful even in a strictly Windows
> environment.  I use it regularly in a couple of situations:
> - to allow kerberos authentication to work when accessing some services
> via a DNS alias.  In this case you attach a SPN for each alias to the
> server's account.
> - to allow kerberos authentication to work with IIS when the associated
> pool is  run with an account other than the standard local accounts (ex.
> Network Service).  In this case SPNs for each server and any aliases are
> attached to the user account that runs the IIS pool.
> Marc

I am not a Windows admin but after researching it does appear that the
setspn command is more useful for a Windows environment. I did see
some Microsoft Tech notes about using setspn for IIS and SQL Server.

I believe that using the ktpass command with the -mapuser option is
probably the proper way to export keytabs to U/Linux services and
not use setspn at all.

John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175