On Thu, Mar 14, 2013 at 05:10:23PM +0100, Sean Boran wrote:
>
> See for example:
> "the thing to watch out for is that AD will fail to return a ticket if
> the SPN requested is found on more than one account (because it
> doesn't know which account to use). So be careful that you do not
> accidentally create multiple service accounts with the same SPN."
> http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2009-09/msg00029.html
>
You can check this using:
setspn -q YOUR-SPN-GOES-HERE
I use setspn -q HTTP/proxy.name.here
You should only get one
> and for Windows services, SPNs are linked to a user:
> "To use Kerberos authentication with a load-balanced array of Client
> Access servers ..All computers within the Client Access server array
> must share the same service account... You can create a computer
> account or a user account for the alternate service account"
Hmm I will be interested to see if this works for you - it didn't for
me. I ended up having a user account for the load-balancer and one each
for the back end servers. The keytab on each backend server contains
the keytab entry for the proxy and the idividual machine keytab.
-- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."Received on Thu Mar 14 2013 - 22:46:01 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 15 2013 - 12:00:05 MDT