setting a new service principal name

  • Thread starter Thread starter Brandon McCombs
  • Start date Start date
B

Brandon McCombs

Hello,

Today I was troubleshooting a custom application at work that uses
Kerberos to sign into a database. The custom app is written in Java. I
finally fixed the problem by adding a new SPN to the domain controller.
The problem was only affecting my machine and was the result of the
machine previously being connected to another domain. For some reason my
machine was still referencing an SPN by the name of ldap/old-domain.

My question is regarding how the SPN gets set. I initially attempted to
add the new SPN using a totally unrelated application that I created
myself that is also written in Java. My application properly set the
SPN and this actually worked for a few minutes by testing the other
application. But after a few minutes ADS automatically removed the SPN
I had just set. I then used the 'setspn -A' command to add the new SPN.
After 10 min of waiting it was still in there and the original
application having the problem could still login through Kerberos. I
went home after that and assumed it would stay there overnight. The
question now is what all would setspn modify (beyond the
servicePrincipalName attribute of the domain controller object) that I
didn't modify when I used my own program to modify that same attribute?

This is with Windows Server 2003 R1 Enterprise with ADS in native mode.


thanks
 
Brandon said:
Hello,

Today I was troubleshooting a custom application at work that uses
Kerberos to sign into a database. The custom app is written in Java. I
finally fixed the problem by adding a new SPN to the domain controller.
The problem was only affecting my machine and was the result of the
machine previously being connected to another domain. For some reason my
machine was still referencing an SPN by the name of ldap/old-domain.

My question is regarding how the SPN gets set. I initially attempted to
add the new SPN using a totally unrelated application that I created
myself that is also written in Java. My application properly set the
SPN and this actually worked for a few minutes by testing the other
application. But after a few minutes ADS automatically removed the SPN
I had just set. I then used the 'setspn -A' command to add the new SPN.
After 10 min of waiting it was still in there and the original
application having the problem could still login through Kerberos. I
went home after that and assumed it would stay there overnight. The
question now is what all would setspn modify (beyond the
servicePrincipalName attribute of the domain controller object) that I
didn't modify when I used my own program to modify that same attribute?

This is with Windows Server 2003 R1 Enterprise with ADS in native mode.


thanks

Today I verified the SPN I added on Monday was still there and it wasn't
so now my question is why won't ADS retain SPNs that are added to a DC
object? See above for details.

thanks
 
Back
Top