Active Directory: What connects the KDC's principals to LDAP entries?
In Active Directory, what connects the KDC's principals to their corresponding LDAP entries? For example, my KC principal might be
Name[/Instance]@REALM
john/[email protected]
and my LDAP entry might be:
dn: cn=john,dc=company,dc=com
objectclass: somewhere
but how does Active Directory "connect" the two? SRV records? For example, when I log in (i.e., use Kerberos), how does AD match my Kerberos principal to my LDAP entry?
UPDATE: This MSDN article comes close to answering the question, but doesn't clearly explain the flow: "The Key Distribution Center (KDC) is implemented as a domain service. It uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains.. The KDC for a domain is located on a domain controller, as is the Active Directory for the domain. Both services [ sic? probably meant the 3 services of Kerberos: AS, TGS, and password reset ] are started automatically by the domain controller's Local Security Authority (LSA) and run as part of the LSA's process."
Solution 1:
An ldap attribute called SPN (service provider name) the primary being HOST