0

This is a bit of a weird one. I'm building a new web server hosted on a LAMP stack to replace an old IIS server. Its intended DNS name is currently occupied by the old server. I have SSL certificates set up for the new server, and configs ready to move the DNS over, but I'd like to have an SPN/TGT (HTTP/{fqdn}@{domain}) set up on the host in advance as well. I can have a separate service account to maintain it, problem is the FQDN is currently occupied.

Will creating that SPN on the LAMP host rob the IIS host of the ability to authenticate users through kerberos?

Philippe Haussmann
  • 1
  • Why do you want the server to have the same name? There's almost never a good reason for this, and it's not technically necessary. – Michael Hampton Apr 03 '19 at 16:06

1 Answers1

0

In fact it will not be possible to associate the same SPN to the new principal until it's removed from the old principal. On the off chance you can convince AD to have it duplicated on multiple principals you're going to have weird results trying to get a kerberos ticket. Depending on a number of factors it'll either pick the original credential, new credential, or just barf because it found both.

So, don't do that. My recommendation is to treat the new service as unique up until you decommission the old server.

Steve
  • 392
  • 2
  • 7