I'm seeking clarification between:
RestrictedKrbHost/Server.domain.com
HOST/Server.domain.com
According to this entry in MS-KILE, the RestrictedKrbHost SPN is used to authenticate to the system.
According to this entry titled Kerberos Technical Supplement for Windows, "The HOST service represents the host computer".
From what I can tell, each can be used to authenticate to the system if a more specific SPN cannot be found. Example being CIFS/Server.domain.com, it can use the HOST/ spn instead of requiring the more specific (recommended) mapping. All the use cases I've found appear to use the HOST spn. Are these truly one in the same?