What service principal name for the host object does QAS look for in Active Directory?
The service principal name (SPN) for the computer object can be confirmed by checking out the keytab or what is in the misc cache for computerFQDN.
For example:
# /opt/quest/bin/vastool ktutil list
/etc/opt/quest/vas/host.keytab:
Vno Type Principal
2 arcfour-hmac-md5 host/rhl.qmxlab.com@QMXLAB.COM
2 arcfour-hmac-md5 RHL$@QMXLAB.COM
2 arcfour-hmac-md5 cifs/rhl.qmxlab.com@QMXLAB.COM
# /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_misc.vdb select * from misc | grep computer
computerName|RHL
computerFQDN|rhl.qmxlab.com
Hence, this is what the SPN of the computer object should be in AD, in the above instance:
servicePrincipalName: host/RHL
servicePrincipalName: host/rhl.qmxlab.com
When QAS is authenticating a user for access onto the machine, it will use the FQDN (Fully Qualified Domain Name) as its service name when requesting the users service ticket. If the SPN does not exist in AD then the authetntication will fail with Service Principal Unknown.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center