on 04-12-2006 8:51 AM
Hello
I'm in a situation where I'm about to implement SPNego, and I realize that I might be in an impossible situation.
The users are part of a domain, but the portal server is not part of any domain. That is the case and cannot be changed.
But as part of setting up SPNego I need an SPN for the portal server, which in my understanding is not possible since it is not part of the domain.
In the old days I would put an IisProxy on a server within the domain and all the troubles would go away. But how do I go about this in an SPNego environment?
Best regards,
Thomas Mouritsen
Thomas,
your portal is not required to be a windows domain member. (which btw would be impossible if it is on a non-windows box).
You are right, that you need an SPN for your portal. Think of it as a (freely choosable) service user that you set up on ADS.
Kind regards,
Dominik Witte
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dominik,
Right, didn't think about the cross-platform availability.
OK. Let's say that I have a server (non domain member) called server01. I have a domain called domain.dom. And I want the portal to be known as portal.domain.dom ind the end. Is it then correct to do the following on the CD:
ktpass -princ host/portal.domain.dom@DOMAIN.DOM -pass secret -out j2ee-p01-portal.keytab -mapUser j2ee-p01-portal +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL
setspn A HTTP/portal.domain.dom j2ee-p01-portal
I appreciate any input on this.
Best regards,
Thomas Mouritsen
User | Count |
---|---|
81 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.