I have a client using an IBM product that requires a keytab file to be created for an account userx, so the account can use kerberos authentication. This account has a SPN of HTTP/website.domain.com@DOMAIN.COM. It is easy enough to create a keytab file for this by doing the following:
ktpass -out file.keytab -princ HTTP/website.domain.com@DOMAIN.COM -mapuser domain\userx -pass abc.123 -ptype KRB5_NT_PRINCIPAL
This will create a keytab file that the IBM application can use. However, now this client is asking for multiple SPNs to be added to the userx account. He wants HTTP/website1.domain.com@DOMAIN.COM and HTTP/website2.domain.com@DOMAIN.COM to be added to the userx account. This is easy enough to do, and a setspn -l userx command will return:
Registered ServicePrincipalNames for <DN of user>:
HTTP/website.domain.com@DOMAIN.COM
HTTP/website1.domain.com@DOMAIN.COM
HTTP/website2.domain.com@DOMAIN.COM
So all 3 of the SPNs are showing up, but I have a problem.
First, I didn't think that you could have multiple SPNs for the same service type (in this case HTTP) on a single account.
Secondly, even if multiple SPNs are allowed for the same service type, how do you generate a keytab file? You have to designate a single principle name during the keytab creation.
Thanks for any help.