7

Normally when you set up Kerberos for IIS, you would do something like setspn -A HTTP/machine some_account. When IIS 7 is installed, it registers the SPN "HOST/machine" for its kernel-mode authentication. Why does this work? Is "HOST" some kind of catch-all SPN that matches when there is no protocol-specific (e.g. "HTTP") SPN registered? Because the client will still specify the HTTP SPN in its TGT requests, right?

(Sorry if this is a simple question, "HOST" is a predictably difficult term to google)

bmm6o
  • 245
  • 2
  • 3
  • 6

1 Answers1

7

HOST is a catch all for several SPNs. These are determined by the field SPNmappings in CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MyDC,DC=com in your AD using ADSIEdit.msc

See this site for more information The problem with duplicate SPNs – alternate working title… KB321044++

And so I don't forget:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com

Christopher_G_Lewis
  • 3,647
  • 21
  • 27
  • Can you clarify one thing: it's legal and possible to have an SPN for one of the classes that defer to HOST registered to another account, right? – bmm6o Jul 31 '13 at 15:25
  • 2
    Well, no. SPN's have to be unique. Period. So typically you see a web server with HTTP SPN's via HOST for the machine name, then an alias registered with the SPN HTTP/. But if you were adding an SPN for a duplicate machine, that would be bad. – Christopher_G_Lewis Aug 01 '13 at 16:33