On Wed, 23 Mar 2011, Michael B Allen wrote:
Yes, but using the machine principal you're able to request any number of service principals that are SERVICENAME/<machinename>. For this to work in a virtual hosting environment, you need multiple machine names (since we're talking about making a number of HTTP/<blah> principals). Whilst I acceptThe "<machinename>" of the principal does NOT have to match the actual machine name. You could create a User object called "alice" with servicePrincipalName values of HTTP/as1.busicorp.local, HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of those names will work just fine. AD just searches for an account with a servicePrincipalName value that matches the principal requested for the service ticket. Pedantic note: If you have the same servicePrincipalName value on more than one account, AD will actually choke and not return a ticket at all (because the request is ambiguous), there is no constraint in AD to stop people from accidentally adding the same SPN to multiple accounts and AD will not return any kind of meaningful error about it.
Sure, but if you're not a domain admin, you've only got a machine principal, and your own principal (which I can use to join machines to the domain). Given those, and *not* a domain admin credential, how do you create those principals? jh
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
