Yep, you’re right… shouldn’t matter.  What little I’ve done w/ SPNs has always been setting the user account against a hostname.  Never tried w/ just the computer account.

 

:m:dsm:cci:mvp | marcusoh.blogspot.com

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of T C
Sent: Tuesday, April 04, 2006 1:47 PM
To: [email protected]
Subject: Re: [ActiveDir] Creating a service instance account in AD

 

I don't see how delegation helps in this case.  Apparently AD issues a ticket for this service.  But I went ahead and trust the computer account for delegation anyway, and it still fails.

Terry

On 4/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

Do you need to trust the computer account for delegation?

 


From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of T C
Sent: Monday, April 03, 2006 5:19 PM
To: Active Directory Discussions
Subject: [ActiveDir] Creating a service instance account in AD

 

Hi,

I am working on bringing a Unix service under AD.  To do this I need to map a service
principal name (SPN) to an AD account.  The MS document specifies using a user
account for this, and I have tested with this and it works.  However, I am also
trying to use a computer account for this.  Everything seems to work except the
ticket cannot be decrypted.  So I am curious if computer accounts can be used
for this purpose.  It seems quite straightforward, but it just didn't work.

Thanks,
Terry

 

Reply via email to