Normally when you set up Kerberos for IIS, you would do something like setspn -A HTTP/machine some_account. When IIS 7 is installed, it registers the SPN "HOST/machine" for its kernel-mode authentication. Why does this work? Is "HOST" some kind of catch-all SPN that matches when there is no protocol-specific (e.g. "HTTP") SPN registered? Because the client will still specify the HTTP SPN in its TGT requests, right?
(Sorry if this is a simple question, "HOST" is a predictably difficult term to google)
Best Answer
HOST is a catch all for several SPNs. These are determined by the field SPNmappings in CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MyDC,DC=com in your AD using ADSIEdit.msc
See this site for more information The problem with duplicate SPNs – alternate working title… KB321044++
And so I don't forget:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com