I am new to Kerberos and I am not sure how browser knows which KDC to contact for ticket for a HTTP service?
For example, I have an application (SPNEGO) running on www.xyz.example.com and my realm is example.com ( I have a linux server as KDC server), what will be the SPN created and how will browser contact KDC?
The browser never directly contacts the KDC. Instead, it relies on the ticket cache maintained by the operating system. If the ticket for the specified service is not found in cache, then OS connects with the KDC and puts the new ticket in cache, from where the browser can pick it up.
General format of the SPN is
<service class>/<host>:<port>/<service name>. If you have a web application running onxyz.example.com, then usually (not necessarily) the format of your SPN will beHTTP/xyz.example.comSPNs are not defined automatically. Administrator has to register the SPNs at the time the keytab is generated.