Reputation: 397
How does browser know which KDC to contact in kerberos?
I am new to Kerberos and I am not sure how browser knows which KDC to contact for ticket for a HTTP service?
For example, I have an application (SPNEGO) running on www.xyz.example.com and my realm is example.com ( I have a linux server as KDC server), what will be the SPN created and how will browser contact KDC?
Upvotes: 0
Views: 1042
Answers (1)
Reputation: 677
how browser knows which KDC to contact for ticket for a HTTP service?
The browser never directly contacts the KDC. Instead, it relies on the ticket cache maintained by the operating system. If the ticket for the specified service is not found in cache, then OS connects with the KDC and puts the new ticket in cache, from where the browser can pick it up.
what will be the SPN created and how will browser contact KDC?
General format of the SPN is <service class>/<host>:<port>/<service name>. If you have a web application running on xyz.example.com, then usually (not necessarily) the format of your SPN will be HTTP/xyz.example.com
SPNs are not defined automatically. Administrator has to register the SPNs at the time the keytab is generated.
Upvotes: 1
Related Questions
- How does kinit know where the KDC is?
- How does a browser know which response belongs to which request?
- How kerberos authentication works
- How does client browser know which KDC to send request to get ticket?
- Kerberos authorization doesn't work on Chrome and FireFox, but works on IE
- Kerberos cache user how it works
- Authenticating with different Kerberos KDC in the same Java application
- kerberos: how the client knows the service name to request ticket to?
- Kerberos: How does application server decrypt service ticket?
- How does the Kerberos authentication server pass additional account information?