first, thanks for your work on this nginx module, that has proven very robust and reliable in the last 5 years it has been in production for us.
This pull is for discussion only, as it contains only README changes on how to obtain a Windows service account mapped to specific service names that are not dependant on the system's host name where nginx is running.
The scenario here is that you may have multiple boxes with nginx on them serving the same app, say, "foo.example.com", behind a load balancer. The nginx servers need to have a keytab that has both the host/foo.example.com and HTTP/foo.example.com, and on the AD side the service account used for Kerberos authentication need to have these two SPNs mapped to it, in the very same "host/" first and "HTTP/" after order.
It is also possible to have different service names mapped to the same service account, as long as the host/ and HTTP/ entries in the Windows SPN database are in the right order.
The documentation in this pull shows all the steps required to achieve the above, that allow for great flexibility and that has been tested with AD on Windows Server 2008, 2012, 2016 and with both IE 11 and Chrome on Windows 7 and Windows 10.
Dear @stnoonan -
first, thanks for your work on this nginx module, that has proven very robust and reliable in the last 5 years it has been in production for us.
This pull is for discussion only, as it contains only README changes on how to obtain a Windows service account mapped to specific service names that are not dependant on the system's host name where nginx is running.
The scenario here is that you may have multiple boxes with nginx on them serving the same app, say, "foo.example.com", behind a load balancer. The nginx servers need to have a keytab that has both the
host/foo.example.comandHTTP/foo.example.com, and on the AD side the service account used for Kerberos authentication need to have these two SPNs mapped to it, in the very same "host/" first and "HTTP/" after order.It is also possible to have different service names mapped to the same service account, as long as the
host/andHTTP/entries in the Windows SPN database are in the right order.The documentation in this pull shows all the steps required to achieve the above, that allow for great flexibility and that has been tested with AD on Windows Server 2008, 2012, 2016 and with both IE 11 and Chrome on Windows 7 and Windows 10.
Thanks for your time,