0

Let say our realm is CARS.LOCAL and I can't change it.

Would a principal like HTTP/portal.houses.com@CARS.LOCAL works?

In other words, our internet domain name doesn't match our realm and I would like to use our registered domain name with kerberos.

The server hosting portal.houses.com and acting as a kerberos client to auth users is server1.cars.local. Reverse dns lookup works for server1.cars.local.

But portal.houses.com resolves to an ip not matching server1.cars.local in a reverse dns lookup.

Is it possible to do what I want?

Would the only way be to have an A record for portal.houses.com using a static ip and make that ip ptr record point to portal.houses.com?

I'm using Active Directory as the kerberos server.

bbigras
  • 276
  • 1
  • 7

1 Answers1

1

Reverse DNS doesn't apply here.

Browsers will canonicalize CNames to A records and use the A record as the requested SPN. If portal.houses.com is a CName that the client resolves to server1.cars.local, then the browser will request a ticket to http/server1.cars.local from the domain controller associated to the logged on user.

The actual realm name doesn't matter. Kerberos is happy as long as there's an SPN registered on a service account.

Steve
  • 392
  • 2
  • 7