|
serviceClass must be in lower case? |
|
Subject: serviceClass must be in lower case?
Author: Alex_Raj
In response to: How To Set SPN
Posted on: 08/07/2006 09:17:12 PM
According to IBM, <serviceClass> MUST be in lower case. Here is an excerpt from:
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyschemacheck.htm
This name does not comply with the standards that define GSSAPI authentication, which state that the principal name should start with lower case "ldap". As a result, LDAP/mysys.ibm.com@IBM.COM, must be ldap/mysys.ibm.com@IBM.COM in newer i5/OS servers.
Does anyone know which standard?
>
> On 05/31/2006 03:09:40 PM Alex_Raj wrote:
The Setspn utility sets SPNs. Because SPNs are security-sensitive, you can only set SPNs for user objects if you have domain administrator privileges.
Setspn
To add an SPN, you can type the following at a command prompt:
setspn A ServiceClass/Host:Port
To delete an SPN, you can type the following at a command prompt:
setspn D ServiceClass/Host:Port
To view the SPNs that are registered for an account, you can type the following at a command prompt:
To reset the default SPN registrations for the host names for an account, you can type the following at a command prompt:
The following section discusses the parameters listed above.
ServiceClass. There are many different types of SPNs, and each service that is running on a computer should have the appropriate SPN service class assigned to it. If an application is written to take advantage of Kerberos authentication and delegation, it has the specific type of SPN that it needs to access pre-determined.
For example, when Internet Explorer versions 5.5 and later use the Kerberos protocol to authenticate to a Web service, the application looks for the HTTP SPN. On the other hand, a SQL Server client looks for the MSSQLSvc/ SPN. If the wrong service class is used on an SPN, then the SPN will not be located when a service searches for it. Host. The computer to which the SPN belongs is all the names by which a computer on which the service is running can be referenced. This usually includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases that might have been assigned to this computer. A separate SPN will need to be set for each name by which the computer can be referenced, with the Host parameter changing respectively. Port. The port that the service is running on. If this is a default port for that service (such as 80 for HTTP), then it can be omitted. However, it is recommended the port be included regardless of what service is running. AccountName. The name of the domain account under which the service runs. If the service runs as Local System or the network service, you usually do not need to set an SPN explicitly for the service because most common SPN service classes will automatically be mapped to the HOST/ SPN which is in turn automatically generated for each computer account.
References:
|
|
|
|