[30946] in Kerberos
Re: confusion with service principal names in Active Directory
daemon@ATHENA.MIT.EDU (Michael B Allen)
Mon Mar 30 14:43:01 2009
MIME-Version: 1.0
In-Reply-To: <49D1002E.6030801@realityfailure.org>
Date: Mon, 30 Mar 2009 14:23:53 -0400
Message-ID: <78c6bd860903301123x1226c6b5r3290e5855c2ffc8e@mail.gmail.com>
From: Michael B Allen <ioplex@gmail.com>
To: John Jasen <jjasen@realityfailure.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Mar 30, 2009 at 1:23 PM, John Jasen <jjasen@realityfailure.org> wrote:
> Paul Moore wrote:
>> use adsiedit (GUI) to set the spn on the AD rpincipal
>> or setspn cli tool
>
> I don't think that's the problem. The SPN is listed in Active Directory,
> and can be queried through ldapsearch, listed via setspn, seen through
> ADSIedit or jxplorer, etc. Its definitely in there, just stock kerberos
> doesn't see it for some reason.
Make sure that you do not have the same SPN set on more than one
account. If you do, AD will consider the request ambigous and it will
NOT grant a ticket for that SPN.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
