12 April,16 at 11:11 AM
Applies to: All versions of Centrify DirectControl
Question:
Is it possible to exclude specific SPNs (service principal names) from being created at time of adjoin?
The reason being an application needs to use some SPNs which are created by Centrify during the join. Since SPNs have to be unique, a conflict is reported.
Answer:
Yes, prior to adjoin, remove the application related SPN(s) from the adclient.krb5.service.principals parameter in /etc/centrifydc/centrifydc.conf
This configuration parameter specifies additional service principals for entries in the Kerberos key table. The key table is populated by default with the service principals host and http. This parameter’s value must be one or more principal service names, separated by a space or by a comma.
For example:
adclient.krb5.service.principals: ldap nfs
If this parameter is not defined in the configuration file, no additional principal names are added to the Kerberos key table.