Problem using KrbServiceName
Martin Goldstone
martin.goldstone at nulc.ac.uk
Mon May 22 09:53:24 EDT 2006
Hi,
I'm getting further along with my problem, and I think its coming down to the fact that we've got 2 AD domains here.
Right now, I'm having problems using the KrbServiceName directive in .htaccess.
I've had to get two different principles mapped to user accounts and put in the keytab (one for each AD domain) using ktpass.exe, and now my machine is getting a ticket for the service principle for the webserver (as shown by kerbtray.exe). However, the error log on the webserver is telling me "Wrong principal in request".
I've tried adding a KrbServiceName directive, but I consistently get an error message that reads "Hostname cannot be canonicalized" if I include the realm, or "No principal in keytab matches desired name" if I don't. What I suspect I need is HTTP/webtest.nulcollege.ac.uk at DOMAIN.AC.UK (which is the service principle mapped to the user account on the domain.ac.uk AD domain), along with HTTP/webtest.nulcollege.ac.uk at NULCOLLEGE.AC.UK (which is the equivalent on the nulcollege.ac.uk AD domain, and also I believe is the principle that the server is expecting). However, when I enter either the full HTTP/webtest.nulcollege.ac.uk at DOMAIN.AC.UK I get the first error message, and when I enter HTTP/webtest.nulcollege.ac.uk I get the second one.
Can someone tell me where I'm going wrong with this directive? Any examples for entries that actually work? Would I be better of just mapping a new service principle such as www/webtest.nulcollege.ac.uk at DOMAIN.AC.UK on the domain.ac.uk AD domain to avoid having two service principles starting with the same string?
Thanks in advance for any advice given.
Martin Goldstone | IT Technician
Newcastle-under-Lyme College, Staffordshire, ST5 2DF
01782 254307 | martin.goldstone at nulc.ac.uk
More information about the Kerberos
mailing list