Kerberos - SPN and keytabs

岁酱吖の 提交于 2020-01-14 04:23:32

问题


I have a project that have embedded jetty with SPNEGO enabled. I would like to be able to run this project locally for development purposes (WITH SPNEGO enabled!)

My question is, is the SPN and keytab associated with a particular server at all or can I use the same set on multiple instances of my service?


回答1:


Kerberos requires that both the client and server somehow figure the service principal to use without any prior contact. If you have control of both the client and server, you can use any principal you want provided you configure both sides to use the same principal.

In the SPNEGO case, the client does the "standard" thing and builds a principal based on the hostname of the server. (i.e. I want to talk to www.foo.com, I'll try requesting an HTTP/www.foo.com service ticket and see if the server accepts it. )

I don't know of any way to get the SPNEGO code in the browser to use a fixed service principal. So in this case you'll need a separate keytab for each server.



来源:https://stackoverflow.com/questions/22990421/kerberos-spn-and-keytabs

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!