| Author | Messages | |
AD000001523
Posts:0
 | | 04/03/2006 9:20 AM |
| I am working on bringing a Unix service under AD. To do this I need to map a service
principal name (SPN) to an AD account. The MS document specifies using a user
account for this, and I have tested with this and it works. However, I am also
trying to use a computer account for this. Everything seems to work except the
ticket cannot be decrypted. So I am curious if computer accounts can be used
for this purpose. It seems quite straightforward, but it just didn't work.
Thanks,
Terry | | | |
| MarcusOh
Posts:9
| | 04/04/2006 4:08 AM |
| Do you need to trust the computer account
for delegation?
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of T C
Sent: Monday, April 03, 2006 5:19
PM
To: Active Directory Discussions
Subject: [ActiveDir] Creating a
service instance account in AD
Hi,
I am working on bringing a Unix service under AD. To do this I need to
map a service
principal name (SPN) to an AD account. The MS document specifies using a
user
account for this, and I have tested with this and it works. However, I am
also
trying to use a computer account for this. Everything seems to work
except the
ticket cannot be decrypted. So I am curious if computer accounts can be
used
for this purpose. It seems quite straightforward, but it just didn't
work.
Thanks,
Terry | | | |
| AD000001523
Posts:0
| | 04/04/2006 5:52 AM |
| TerryOn 4/3/06, Marcus.Oh@xxxxxxx wrote:
Do you need to trust the computer account
for delegation?
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of T C
Sent: Monday, April 03, 2006 5:19
PM
To: Active Directory Discussions
Subject: [ActiveDir] Creating a
service instance account in AD
Hi,
I am working on bringing a Unix service under AD. To do this I need to
map a service
principal name (SPN) to an AD account. The MS document specifies using a
user
account for this, and I have tested with this and it works. However, I am
also
trying to use a computer account for this. Everything seems to work
except the
ticket cannot be decrypted. So I am curious if computer accounts can be
used
for this purpose. It seems quite straightforward, but it just didn't
work.
Thanks,
Terry | | | |
| MarcusOh
Posts:9
| | 04/04/2006 7:02 AM |
| Yep,
you™re right¦ shouldn™t matter. What little I™ve
done w/ SPNs has always been setting the user account against a hostname.
Never tried w/ just the computer account.
:m:dsm:cci:mvp |
marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of T C
Sent: Tuesday, April 04, 2006 1:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Creating a service instance account in AD
I don't see how delegation
helps in this case. Apparently AD issues a ticket for this service.
But I went ahead and trust the computer account for delegation anyway, and it
still fails.
Terry
On 4/3/06, Marcus.Oh@xxxxxxx Marcus.Oh@xxxxxxx> wrote:
Do you need to
trust the computer account for delegation?
:m:dsm:cci:mvp | marcusoh.blogspot.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of T C
Sent: Monday, April 03, 2006 5:19 PM
To: Active Directory Discussions
Subject: [ActiveDir] Creating a service instance account in AD
Hi,
I am working on bringing a Unix service under AD. To do this I need to
map a service
principal name (SPN) to an AD account. The MS document specifies using a
user
account for this, and I have tested with this and it works. However, I am
also
trying to use a computer account for this. Everything seems to work
except the
ticket cannot be decrypted. So I am curious if computer accounts can be
used
for this purpose. It seems quite straightforward, but it just didn't
work.
Thanks,
Terry | | | |
| listmail
Posts:497
| | 04/04/2006 8:52 AM |
| I seem to recall seeing something like this in the
newsgroups previously. Once I seem to recall that the problem was related to the
keytab not being generated properly. The other time was an issue with the
encryption type. The machine required encryption that is OFF by default in
Windows Server 2003 because it is insecure, I want to say DES-CBC-CRC maybe,
because the machine couldn't support DES-CBC-MD5. There was a hotfix
out there which I think is wrapped into SP1 now that allows you to reenable that
encryption. It was always available under W2K from what I
understand.
The kerb questions tend to not get tackled big time in this
list probably because most people are using Windows and Microsoft just made it
so it simply works. The times you hear about it are with interaction with
Unix/Linux/BSD and some pain point.
Something you may consider doing is looking at a product
that makes kerberos integration with Windows far easier, this would be from
either Centrify or Vintela.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of T
CSent: Monday, April 03, 2006 5:19 PMTo: Active Directory
DiscussionsSubject: [ActiveDir] Creating a service instance account
in AD
Hi,I am working on bringing a Unix service under AD. To
do this I need to map a serviceprincipal name (SPN) to an AD account.
The MS document specifies using a useraccount for this, and I have tested
with this and it works. However, I am alsotrying to use a computer
account for this. Everything seems to work except theticket cannot be
decrypted. So I am curious if computer accounts can be usedfor this
purpose. It seems quite straightforward, but it just didn't
work.Thanks,Terry | | | |
|
|