First, the Service principal name is registered for a user using setspn command.
setspn -a CS/[email protected] dummyuser
setspn -l dummyuser
gives the output as
Next, when ktpass command is executed with /mapUser option, the service principal name of the user account gets modified so that the domain component gets dropped.
ktpass /pass Password@123 -out dummy.1.keytab -princ CS/[email protected] -crypto DES-CBC-MD5 +DumpSalt -ptype KRB5_NT_PRINCIPAL +desOnly /mapOp set /mapUser dummyuser
setspn -l dummyuser
gives the output as
CS/dummy
Are both of the following commands correct and work in the same way?
setspn -a CS/dummy dummyuser
setspn -a CS/[email protected] dummyuser
While specifying service name in the SPN, is mandatory to include the domain component too? Can you please clarify?
For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. For more information about SPN format and composing a unique SPN, see Name Formats for Unique SPNs.
If you are using Kerberos-based authentication, you must configure a Service Principal Name (SPN) for Network Controller in Active Directory. The SPN is a unique identifier for the Network Controller service instance, which is used by Kerberos authentication to associate a service instance with a service login account.
Viewing SPNs To view a list of the SPNs that a computer has registered with Active Directory from a command prompt, use the setspn –l hostname command, where hostname is the actual host name of the computer object that you want to query.
SPNs are registered for built-in accounts automatically. However, when you run a service under a domain user account, you must manually register the SPN for the account you want to use. To create an SPN, you can use the SetSPN command line utility.
As you did not mention it, I will assume you are in a Windows Active Directory domain environment? I say that because the command "ktpass" given in your example is native to Windows. Based on this I will assume that your Active Directory DNS domain name is abc.com and Kerberos realm name is ABC.COM.
So, in your case, based on everything I mentioned, while you can use:
setspn -a CS/dummy dummyuser
It would be better to do it this way instead:
setspn -s CS/dummy.abc.com dummyuser
For extra credit I've also modified your keytab creation command accordingly, though keeping the DES part so as not to further confuse.
ktpass +rndPass -out dummy.1.keytab -princ CS/[email protected] -crypto DES-CBC-MD5 +DumpSalt -ptype KRB5_NT_PRINCIPAL +desOnly /mapOp set /mapUser [email protected]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With