[CentOS] Apache/Active Directory authentication

Wed Mar 23 18:35:56 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Wed, 23 Mar 2011, Michael B Allen wrote:

>> Yes, but using the machine principal you're able to request any number of
>> service principals that are SERVICENAME/<machinename>.  For this to work in a
>> virtual hosting environment, you need multiple machine names (since we're
>> talking about making a number of HTTP/<blah> principals).  Whilst I accept
>
> The "<machinename>" of the principal does NOT have to match the actual
> machine name. You could create a User object called "alice" with
> servicePrincipalName values of HTTP/as1.busicorp.local,
> HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of
> those names will work just fine. AD just searches for an account with
> a servicePrincipalName value that matches the principal requested for
> the service ticket.
>
> Pedantic note: If you have the same servicePrincipalName value on more
> than one account, AD will actually choke and not return a ticket at
> all (because the request is ambiguous), there is no constraint in AD
> to stop people from accidentally adding the same SPN to multiple
> accounts and AD will not return any kind of meaningful error about it.

Sure, but if you're not a domain admin, you've only got a machine principal,
and your own principal (which I can use to join machines to the domain).
Given those, and *not* a domain admin credential, how do you create those
principals?

jh