Hi,
The keytab is just a means of encyrpting/decrypting the kerberos information, I dont believe it needs you to have a special SPN just for ISAM. If your backend application already has an SPN, just use that when generating the keytab, or create a second SPN if you want for that same application/ID as i believe that is also valid (the SPN binds to a service account in AD).
The only thing that matters is that the ID running your application delegates to the webseal ID/SPN, and then your webseal conf file uses that ID/SPN as its identifier, and your sending the application SPN when you get a 401 (this is where the keytab comes in to generate your ticket).
The example article is a bit confusing at first, but once you get it its like an AHA moment and its super easy then.
------------------------------
Jeff Garcia
------------------------------
Original Message:
Sent: Wed February 12, 2020 01:05 PM
From: Vasanthakumar Chandrasekaran
Subject: Kerberos Solution
Hi All,
I am looking to integrate kerberos solution to Sharepoint 2016 server applications. I have created a webseal AD user with Hostname of the webseal as HTTP/isamwebseal.domain.com with user isamwebseal. Now i want to integrate https://abc.com_ website with ISAM. But application team has already generted SPN for this website and its used for their internal purpose.
Now how do i proceed with the solution, can i generate a new keytab file with the same SPN with our ISAM user or i can use the keytab which was generated for the website internally.Please advise.
------------------------------
Vasanthakumar Chandrasekaran
------------------------------