On Tue, 22 Mar 2011, Michael B Allen wrote: > Hi John, > > You would not have to create "dummy" machine records. The > servicePrincipalName attribute on an AD account is multi-valued and > clients can request and get a ticket for ANY principal in that list. > So you only need one account. > > And you do not need special permissions if you have an existing keytab > because you can use the keytab to authenticate with AD and add > servicePrincipalName values to the account itself. At least in theory > you can. I don't know if Samba's routine for adding HTTP SPNs is smart > enough to know that it needs to not just add servicePrincipalName > values but that it will also need to rebuild the keytab. Yes, but using the machine principal you're able to request any number of service principals that are SERVICENAME/<machinename>. For this to work in a virtual hosting environment, you need multiple machine names (since we're talking about making a number of HTTP/<blah> principals). Whilst I accept this is possible, I don't see how you'd do it without being a domain admin. How do I create the records starting from a position of only having the machine credential for the web server, and at best another user credential with rights to create machine objects? With domain admin rights, I get how your scheme works, although it wasn't a route I'd previously considered. jh