Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
I was helping a customer setup Kerberos delegation the other day. After all these years, the specifics of this topic still seems to create uncertainty.
Eventually, the conversation turned to the SPN-Mappings attribute. This little beauty can be found on the Directory Services NTDSService object in the configuration partition. It allows the "host/..." SPN of a computer to represent any service running on that computer, i.e. if the SPN for a particular service is missing, the "host/..." SPN acts as a substitute.
For example, "http/HALOMEM01" is missing. The SPN-Mappings attribute has an entry for "http". Consequently, "host/HALOMEM01" can be used to find the "http" service.
We then used PowerShell to dump out the contents of SPN-Mappings.
(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=HALO,DC=NET" -properties sPNMappings).sPNMappings -split "," | Sort-Object
I've always wondered about oakley... answers on a postcard!
Comments
- Anonymous
August 04, 2017
Useful information. I would clean this up a little but to remove the host=alerter entry. Try this...(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com" -properties sPNMappings).sPNMappings.Split("=")[1].Split(",")- Anonymous
August 04, 2017
little bit, not "little but"... typo. sorry.
- Anonymous