spn

Kerberos - SPN and keytabs

岁酱吖の 提交于 2020-01-14 04:23:32
问题 I have a project that have embedded jetty with SPNEGO enabled. I would like to be able to run this project locally for development purposes (WITH SPNEGO enabled!) My question is, is the SPN and keytab associated with a particular server at all or can I use the same set on multiple instances of my service? 回答1: Kerberos requires that both the client and server somehow figure the service principal to use without any prior contact. If you have control of both the client and server, you can use

WCF Client default SPN generation

谁说我不能喝 提交于 2020-01-07 03:17:08
问题 How does WCF client generates target Service's SPN dynamically to get the kerberos ticket in Spnego Use case? For example, if the target service is running under domain machine account, SPN associated with the Service would be in the form 'host/machinename'. If we try to call the service using wcf client, wcf client is able to get the ticket for host/machinename. I initially thought that wcf client might be using hardcoded string host/+domainname by default. But If I change the target service

运营商名字是如何获取的?(理论篇)

我的未来我决定 提交于 2020-01-01 02:44:37
Haykey哥近期接手了一个案例,同一运营商名字在M平台上显示1O1O,而在Q平台上显示CSL,如下图所示: 包括这个具体问题的分析之路,Haykey哥将在下期实践篇带来一共2个经典案例。这期带大家先把理论知识梳理清楚,例如,我们需要知道为什么PLMN 460-00就要和中国移动/CMCC/China Mobile关联起来。 在手机端一般有两个地方需要显示运营商名字,1是在状态栏上显示当前注册的运营商名,2是手动搜网返回当前可用的运营商名。 (图1:状态栏上的运营商名 ) (图2:手动搜网返回的运营商名 ) 针对这两个情景,安卓AP层分别调用两个不同的RIL request获取运营商名字。 通过RIL_REQUEST_OPERATOR获取在状态栏显示的运营商名,返回结果包括长名,短名和MCC+MNC pair。至于什么时候,在哪里显示长名,还是显示短名,逻辑全在AP侧。Haykey哥的理解就是完全依赖显示空间大小,过小则短名,如能容纳下则长名。至于MCC+MNC pair,完全是后手之举,运营商长短名都为空时,只能显示MCC+MNC pair给用户。 通过RIL_REQUEST_QUERY_AVAILABLE_NETWORKS获取在手动搜网返回的运营商名。返回结果只是多了个运营商状态,是禁止FPLMN,还是当前注册的Current,还是可及的Available。 至此

Kerberos: difference between UPN and SPN

旧时模样 提交于 2019-12-31 22:39:10
问题 I'm now kerberizing a cross-platform application with GSSAPI. While I'm not clear about the difference between UPN and SPN. The development environment is a Samba4 AD DC server on CentOS 6.4 with a Windows server 2008 R2 a member box in the domain, say EXAMPLE.COM (You may be curious why not use Win2008 as DC directly. And as I stated previously, the application is cross-platform, I'm now testing in this setting. The normal Win DC-Linux MEM setting works fine.). I create a new user foobar

论文解读 Learning Depth with Convolutional Spatial Propagation Network

泪湿孤枕 提交于 2019-12-23 03:43:19
Learning Depth with Convolutional Spatial Propagation Network 这篇论文里提出的网络是目前KITTI2015排行榜一,作者提出的CSPN既可以用于深度预测也可以用于深度图补全。 本文在Spatial Propagation Networks(SPN)的基础上提出了Convolutional Spatial Propagation Networks(CSPN),相较于SPN,CSPN可以并行计算且效果更好。CSPN和SPN一样,都使用affinity matrix(相似度矩阵)来进行传播的网络,affinity matrix是用来确定空间中两个点相似性的矩阵。 为了将CSPN用于立体匹配(处理4D的CostVolume),作者将CSPN扩展到了3D提出了3D CSPN。受spatial pyramid pooling (SPP)的启发,作者把CSPN和SPP相结合,提出了convolutional spatial pyramid pooling(CSPP)。 1.CSPN将SPN的按线方向的传播过程改为了卷积操作: 写成向量化的形式如下: 同时将他扩展到了3D: 下面的这个图展示了SPN和CSPN以及3D CSPN的区别: 2.作者提出所谓的spatial pyramid pooling(SPP)其实就是一种CSPN的特例:

Kerberos SPN gets cached on Windows Servers?

荒凉一梦 提交于 2019-12-11 05:56:59
问题 Been integrating Kerberos authentication in my SSO project. Came across a peculiar scenario. I made a new user and attached an SPN to it. Followed steps on this question and got everything working. By everything I mean :- kinit username - and then entering password gave me the message that ticket was saved. kinit spn(int the format HTTP/FQDN) - and then entering password gave me the message that ticked was saved. After some time I decided to try this over once again, and so I used the command

What SPN do I need to set for a net.tcp service?

不打扰是莪最后的温柔 提交于 2019-12-10 04:56:55
问题 I have a wcf application hosted in a windows service running a local windows account. Do I need to set an SPN for this account? If so, what's the protocol the SPN needs to be set under? I know how to do this for services over HTTP, but have never done it for net.tcp. 回答1: By default (i.e. out of the box) net.tcp services are unsecured and don't perform any authentication at all. So you won't need (and in fact can't) set a service principal name. If you need to authenticate, then check the net

What SPN do I need to set for a net.tcp service?

安稳与你 提交于 2019-12-05 08:04:15
I have a wcf application hosted in a windows service running a local windows account. Do I need to set an SPN for this account? If so, what's the protocol the SPN needs to be set under? I know how to do this for services over HTTP, but have never done it for net.tcp. By default (i.e. out of the box) net.tcp services are unsecured and don't perform any authentication at all. So you won't need (and in fact can't) set a service principal name. If you need to authenticate, then check the net.tcp security modes on MSDN. The best way to understand the different combinations is to experiment!

The target principal name is incorrect. Cannot generate SSPI context

邮差的信 提交于 2019-12-03 08:04:11
问题 I am struggling to get a SQL Server connection from machine A to machine B which is running the SQL Server. I have Googled extensively and all the things I have found have not worked. Nor do they lead you step by step through the process of solving this. We are not using Kerberos, but NTLM where configured. The machines involved are (xx is used to obscure some of the machine name for security purposes): xxPRODSVR001 - Windows Server 2012 Domain Controller xxDEVSVR003 - Windows Server 2012

域渗透-Kerberos协议中spn的应用

↘锁芯ラ 提交于 2019-11-28 17:20:23
0x01 关于SPN 服务主体名称(SPN)是Kerberos客户端用于唯一标识给特定Kerberos目标计算机的服务实例名称。 服务主体名称是服务实例(可以理解为一个服务,比如 HTTP、MSSQL)的唯一标识符。Kerberos 身份验证使用 SPN 将 服务实例与服务登录帐户相关联 。 在内部网络中,SPN扫描通过 查询向域控制器执行服务发现。这对于红队而言,可以帮助他们识别正在运行重要服务的主机,如终端、交换机、微软SQL等,并隐藏他们。此外,SPN的识别也是kerberoasting攻击的第一步。 0x02 SPN基础配置 详细可以查看微软官方手册 https://docs.microsoft.com/zh-cn/windows-server/networking/sdn/security/kerberos-with-spn 在 SPN 的语法中存在四种元素,两个必须元素和两个额外元素,其中<service class>和<host>为必须元素: <serviceclass>/<host>:<port>/<service name> <service class>:标识服务类的字符串 <host>:服务所在主机名称 <port>:服务端口 <service name>:服务名称 常见服务和spn服务实例名称 MSSQLMSSQLSvc/adsmsSQLAP01
订阅 spn