hello
so far i understood that if a service is runnig under local system, we register the spn under the computer account. if it runs on a service account, we need to create the spn on service account in ad. Right?
so here are question about how spn process is handling. (this is my assuumption, can clearly)
- lets say a client want to login to a computer. it send host\pc1.contoso to kerberos to receive the ticket, fine. then kerberos issue the TGS. what happens if the client (just an idea), send a spn like bullshit\pc1.contoso.com to KDC. then he search in forest for PC1 and if it has a bullshit registered in SPN, the tgs will be issued, otherwise, no TGS. right?
- lets consider that we have a two servers (web1,sql1) and also two service accounts(svcweb,svcsql) and of cource there as a client1. the scenario is as this: the client request to have acess for web1 by specifying spn http/werb1.contoso; but the http is not run under local system and it runs under svcweb. so how kdc will issue here? the client request spn for local system, but it is actually running under svc account: how it will process?
- client will need to view a report from sql1. here the SPNs of sq1 should be written on sql1 computer account but who have delegated for? svc web?
last question:
- in which situations, we should create a spn from a remote domain to a local domain? for example consider two computer accounts in two domains, pc1.contoso.com and pc2.child.contoso.com. in which sittuation I should create a spn like host/pc2.child.contoso.com in computer account of pc1.contoso.com? I ask this because I saw this situations in my environment.
sorry if it was confusing but it also confuses me.
