[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Stefan Metzmacher
metze at samba.org
Fri Jan 13 14:19:19 UTC 2017
Hi Sreekanth,
sorry for the long delay.
The difference I see is that you're doing this as administrator.
I'm talking about validated-writes done by an account on it's own
computer object. And that's what [MS-ADTS] 3.1.1.5.3.1.1.4
servicePrincipalName
about, also see the parent section 3.1.1.5.3.1.1 Validated Writes
Can you please continue your reserach on this?
Thanks!
metze
> Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":" ?
>
>
>
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433 lvisser
>
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1 lvisser
>
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2 lvisser
>
> C:\Users\Administrator>setspn -l lvisser
>
> Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB:
>
> MSSQLSvc/myhost.379135DOM.LAB/MYINST2
> MSSQLSvc/myhost.379135DOM.LAB:MYINST1
> MSSQLSvc/myhost.379135DOM.LAB:1433
>
>
> You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2
>
>
> But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20170113/cc8a9ea9/signature.sig>
More information about the cifs-protocol
mailing list