Once you go down that route (e.g. allowing SPNEGO to specify service principal), you no longer have mutual auth, because you no longer are connecting to precisely the server the client / client application specified. You could be talking w/ whomever intercepted that traffic, and returned their SPN.
On Jan 14, 2008, at 1:57 PM, Srinivas Kakde wrote: > > This message says: From a security standpoint, allowing the server > to specify its > service principal is a "bad idea". ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
