|
Posted by Joe Richards [MVP] on May 6, 2006, 10:21 am
Please log in for more thread options Ah I see. I have never worked with that part of it so no experience. Sorry.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
johnny wrote:
> To clarify this further, the problem does not lie in the setting up of the
> service principal name but the use of it. As I have mentioned, delegation to
> the server is not working because the proper user credentials is not being
> passed. The server receives the "anonymous logon" credential.
>
> We use the RpcBindingSetAuthInfoEx call passing to it the service principal
> name. I suspect there may be some restriction in the Kerberos SSP.
>
> Thanks
> Shakti
>> ADSIEDIT should be allowing it, I can't speak to DsWriteAccountSpn.
>>
>> I justed used my own admod (simple LDAP mod tool) to set an SPN with
>> spaces in both the service name and service class.
>>
>>
>> G:\TEMP>adfind -default -f name=someuser serviceprincipalname
>>
>> AdFind V01.31.00cpp Joe Richards (joe@joeware.net) March 2006
>>
>> Using server: 2k3dc01.joe.com:389
>> Directory: Windows Server 2003
>> Base DN: DC=joe,DC=com
>>
>> dn:CN=someuser,OU=TestOU,DC=joe,DC=com
>>> servicePrincipalName: this is a test/test@somedomain.com/this is a test2
>>
>> 1 Objects returned
>>
>>
>>
>> The directory uses DsCrackSpn to check the SPN prior to setting it, if it
>> doesn't pass the DsCrackSpn check (i.e. status!=ERROR_SUCCESS) it will not
>> allow the change.
>>
>>
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> Author of O'Reilly Active Directory Third Edition
>> www.joeware.net
>>
>>
>> ---O'Reilly Active Directory Third Edition now available---
>>
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> johnny wrote:
>>> The application registers the spn by calling DsGetSpn followed by
>>> DsWriteAccountSpn. We have also tried setting it with ADSI edit.
>>>
>>> Shakti
>>>> How exactly are you trying to set them.
>>>>
>>>> --
>>>> Joe Richards Microsoft MVP Windows Server Directory Services
>>>> Author of O'Reilly Active Directory Third Edition
>>>> www.joeware.net
>>>>
>>>>
>>>> ---O'Reilly Active Directory Third Edition now available---
>>>>
>>>> http://www.joeware.net/win/ad3e.htm
>>>>
>>>>
>>>>
>>>> Johnny wrote:
>>>>> Thanks for the response. Yes this is in reference to Kerberos entities.
>>>>> The SPN allows
>>>>> us to use the syntax I mentioned but for some reason it does not work
>>>>> with spaces in the servicename part (which accroding to docmumentation
>>>>> can be the distinguished name or ldap name of the service). Delegation
>>>>> of impersonated credentials to a remote server fails because the remote
>>>>> server receives the "anonymous logon" credential.
>>>>>
>>>>> Thanks for any help
>>>>>
>>>>> Shakti
>>>>>> SPNs are Kerberos entities and they make use the the Kerberos
>>>>>> canonical name. The distinguished names you mention sound like
>>>>>> Ldap names.
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> We need to set up the service principal name for a service in this
>>>>>>> format
>>>>>>>
>>>>>>> <class>/<host:port>/<service name>
>>>>>>>
>>>>>>> we provide the distinguished name of the service in question. However
>>>>>>> we found that this cannot have spaces in them. Surely distinguished
>>>>>>> names of objects can have spaces in them. Can you suggest a solution
>>>>>>> to this. If we use object guid what format do we enter that?
>>>>>>>
>>>>>>> Thanks
>>>>>>> Shakti
>>>>>>>
>
>
| 
XML Sitemap