Kerberos-SPN和密钥表 [英] Kerberos - SPN and keytabs

问题描述

我有一个已启用SPNEGO的嵌入式码头项目.我希望能够出于开发目的在本地运行该项目(启用SPNEGO！)

I have a project that have embedded jetty with SPNEGO enabled. I would like to be able to run this project locally for development purposes (WITH SPNEGO enabled!)

我的问题是，SPN和密钥表是否完全与特定服务器相关联，还是可以在服务的多个实例上使用同一集合?

My question is, is the SPN and keytab associated with a particular server at all or can I use the same set on multiple instances of my service?

推荐答案

Kerberos要求客户端和服务器都以某种方式确定要使用的服务主体，而无需事先联系.如果您同时控制客户端和服务器，则可以使用所需的任何主体，只要将双方都配置为 使用相同的主体.

Kerberos requires that both the client and server somehow figure the service principal to use without any prior contact. If you have control of both the client and server, you can use any principal you want provided you configure both sides to use the same principal.

在SPNEGO情况下，客户端执行标准"操作并基于服务器的主机名构建主体. (即，我想与www.foo.com交谈，我会尽力 请求HTTP/www.foo.com服务票证，并查看服务器是否接受该票证. )

In the SPNEGO case, the client does the "standard" thing and builds a principal based on the hostname of the server. (i.e. I want to talk to www.foo.com, I'll try requesting an HTTP/www.foo.com service ticket and see if the server accepts it. )

我不知道有什么方法可以在浏览器中获取SPNEGO代码以使用固定服务主体.因此，在这种情况下，每个服务器都需要一个单独的密钥表.

I don't know of any way to get the SPNEGO code in the browser to use a fixed service principal. So in this case you'll need a separate keytab for each server.

这篇关于Kerberos-SPN和密钥表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！