On Wed, 23 Mar 2011, Michael B Allen wrote: >> Yes, but using the machine principal you're able to request any number of >> service principals that are SERVICENAME/<machinename>. For this to work in a >> virtual hosting environment, you need multiple machine names (since we're >> talking about making a number of HTTP/<blah> principals). Whilst I accept > > The "<machinename>" of the principal does NOT have to match the actual > machine name. You could create a User object called "alice" with > servicePrincipalName values of HTTP/as1.busicorp.local, > HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of > those names will work just fine. AD just searches for an account with > a servicePrincipalName value that matches the principal requested for > the service ticket. > > Pedantic note: If you have the same servicePrincipalName value on more > than one account, AD will actually choke and not return a ticket at > all (because the request is ambiguous), there is no constraint in AD > to stop people from accidentally adding the same SPN to multiple > accounts and AD will not return any kind of meaningful error about it. Sure, but if you're not a domain admin, you've only got a machine principal, and your own principal (which I can use to join machines to the domain). Given those, and *not* a domain admin credential, how do you create those principals? jh