SPNs and the HOST prefix

  • 106 Views
  • Last Post 07 July 2017
kool posted this 07 July 2017

I've been troubleshooting issues with Kerberos constrained delegation when I found this blog post by Joe Richards: http://blog.joeware.net/2008/07/17/1407/. He expands on the KB321044 article and points out how the HOST SPN prefix is an alias for a number of other service prefixes including HTTP. I have an SSRS server with the service running as a local (NT Service) account. The server has both HOST and HTTP SPNs. Why isn't this a duplicate?

If I read Joe's article correctly this should constitute a duplicate SPN where one is explicit and the other implicit. Yet the delegation from the SSRS instance is working to the back-end SQL DB which implies the SPNs are correct and that Kerberos auth is working properly. Am I misinterpreting something here or is there some other subtlety at play?

BTW, I checked the sPNMappings attribute on the Directory Service object and it does list http.

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
bdesmond posted this 07 July 2017

It matches the explicit SPN before expanding the mappings so it's not a duplicate. The flipside though will bite you if you're expecting host/foo to help you out but http/foo is registered someplace else.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

show

kool posted this 07 July 2017

Thanks Brian! That was indeed the subtlety I was wondering about.

Cheers,

Eric

show

Close