-
Titre
What service principal name for the host object does Quest Authentication Services (QAS/VAS) look -
Description
What service principal name for the host object does QAS look for in Active Directory?
-
Résolution
The service principal name (SPN) for the computer object can be confirmed by checking out the keytab or what is in the misc cache for computerFQDN.
For example:
# /opt/quest/bin/vastool ktutil list
/etc/opt/quest/vas/host.keytab:Vno Type Principal
2 arcfour-hmac-md5 host/rhl.qmxlab.com@QMXLAB.COM
2 arcfour-hmac-md5 RHL$@QMXLAB.COM
2 arcfour-hmac-md5 cifs/rhl.qmxlab.com@QMXLAB.COM# /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_misc.vdb select * from misc | grep computer
computerName|RHL
computerFQDN|rhl.qmxlab.comHence, this is what the SPN of the computer object should be in AD, in the above instance:
servicePrincipalName: host/RHL
servicePrincipalName: host/rhl.qmxlab.com -
Informations supplémentaires
When QAS is authenticating a user for access onto the machine, it will use the FQDN (Fully Qualified Domain Name) as its service name when requesting the users service ticket. If the SPN does not exist in AD then the authetntication will fail with Service Principal Unknown.