Is it possible to set an SPN with a path?

1

1

I'd like to know, if it is possible to set an SPN with non root url as something like that:

setspn -U -A http/www.example.com/someApp/path/ someServiceUser

So that different applications running in different IIS-Application Pools can have different SPNs

I tried the command, but it tells me that the name reference is invalid (which i can understand, since / is a special char in SPNs).

TGlatzer

Posted 2013-07-09T12:36:27.643

Reputation: 113

Answers

1

Probably not. As far as I know, Kerberos service principals are always in the form service/hostname (exactly two components), and the hostname always matches the one that the client wants to access (not the one the server claims to be). It's possible for HTTP/* SPNs to include the port, but never the HTTP path.

user1686

Posted 2013-07-09T12:36:27.643

Reputation: 283 655

That's not what i wanted to hear, but it matches my experience. – TGlatzer – 2013-07-09T13:30:31.000

Btw this here is core information for me: the hostname always matches the one that the client wants to access (not the one the server claims to be) - i was not aware of that. – TGlatzer – 2013-07-09T13:31:50.633

@Grumbler85: A small addition to that: MIT Kerberos and Heimdal (the most common Kerberos implementations for Unix(-like) systems) often use the "reverse DNS" of the server's address as the principal's hostname. However, Windows itself does not seem to do this, which makes sense given that DNS is insecure. – user1686 – 2013-07-09T13:35:01.353

Asked: 2013-07-09T12:36:27.643

Viewed: 140 times

Active: 2013-07-09T13:27:27.923