Kerberos AAA with multiple domains/realms
Hello, I have successfully setup Clientside Kerberos Authentication for an SWG lab by merging 5 keytab files into one (1 keytab per domain). Security wants to change the password of the 5x Kerberos Delegation Service Accounts which will require that a new keytab file be built.
Is there a way to replicate this configuration with only a single keytab entry to validate users tickets from all 5 domains/realms?
It is my understanding that the APM just matched the SPN in the keytab with the SPN in the ticket before trying to decrypt it. If the SPN doesn't match then the ticket can not be validated. Users could be coming from any of the 5 domains so their realm may or may not match the single SPN keytab when they all try to access the same resource (http/proxy.domain.com@REALM).
Thanks!