I have gotten the Active Directory kerberos and SPNEGO configured correctly but it always confuses me that how service SPN can be set up to allow only certain domain users to access certain services. For example,
HTTP/[email protected]
above SPN is like most used basic example of how Client (browser, Java etc) can communicate to the service it wants to access.
User A can use that SPN to access the service tied to that SPN. that also means User B can also use that SPN to access the service. What if I want to make sure that User B cannot access the service even if it knows the SPN? so far, I haven't find the way to limit the service for certain domain users
2nd scenario is even worse, I have two different services running and both have it's own SPNs like below
SPN1 = HTTP/[email protected]
SPN2 = HTTP/[email protected]
and I have two users, user1 and user2. I only want user1 to access service 1 and only user2 to access service 2 respectively. but this seems almost impossible to do so because both clients are are legit in the same active directory and can request service ticket to any of the above SPNs. I am really confused with this.
I appreciate with any pointers or guidance.
thanks you.
Kerberos is used for authentication.
There should be some other service that makes authorization decisions which service is allowed to whom.
In regards to WebSphere, have a look at Authorization Providers
SPN is just a front-end service name, that wouldn't be used for authorization. End users' AD principal names will be used for authorization, not SPNs. SPN will be same for all users in most cases (it might be more than one SPN if there is a load balancer etc in front). Hope this helps / makes sense to you.