Problem using KrbServiceName

Martin Goldstone martin.goldstone at nulc.ac.uk
Tue May 23 06:22:09 EDT 2006 

I see what you are saying.

I did a couple of tests yesterday.  When I was logged on as a user on the nulcollege.ac.uk domain, it worked perfectly.  However, when I was logged on as a user from domain.ac.uk, it did not.  When there was no mapping on domain.ac.uk for the service principal for the web server (whose default realm is NULCOLLEGE.AC.UK), no ticket showed up on the Windows box.  When the mapping was there, the Windows box got a ticket.  This is why I got the idea of using two principals.  I guessed I wouldn't be able to map the same principal to an account on domain.ac.uk, as (if nothing else) it would foul up the version numbers and keys for the keytab.

It seems like Windows will first look at the domain of the logged on user for the service principal, and from what has been said, the AD controller will issue a Kerberos referral to the correct realm.  But this only seems to work for the Windows servers on our network.  I've looked through the DNS server to see if there were any clues there about how Windows knows where to refer requests, but I could not see anything.

Does any one have any suggestions as to how to get Windows to do the referral in this case, or any other suggestions for getting this to work?

Martin Goldstone | IT Technician
Newcastle-under-Lyme College, Staffordshire, ST5 2DF
01782 254307 | martin.goldstone at nulc.ac.uk

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On Behalf Of Richard E. Silverman
Sent: 23 May 2006 06:47
To: kerberos at MIT.EDU
Subject: Re: Problem using KrbServiceName

>>>>> "MG" == "Martin Goldstone" <martin.goldstone at nulc.ac.uk> writes:

Why do you have two different principals for this service?  There should
be only one, and in fact there *can* be only one, since mod_auth_kerb will
only take one as its identity (and report "wrong principal in request" if
a client uses the wrong one).

As for "hostname cannot be canonicalized," check the version of
mod_auth_kerb you're running -- I think using a fully-qualified principal
was added later on.

    MG> Hi, I'm getting further along with my problem, and I think its
    MG> coming down to the fact that we've got 2 AD domains here.

    MG> Right now, I'm having problems using the KrbServiceName directive
    MG> in .htaccess.

    MG> I've had to get two different principles mapped to user accounts
    MG> and put in the keytab (one for each AD domain) using ktpass.exe,
    MG> and now my machine is getting a ticket for the service principle
    MG> for the webserver (as shown by kerbtray.exe).  However, the error
    MG> log on the webserver is telling me "Wrong principal in request".

    MG> I've tried adding a KrbServiceName directive, but I consistently
    MG> get an error message that reads "Hostname cannot be canonicalized"
    MG> if I include the realm, or "No principal in keytab matches desired
    MG> name" if I don't.  What I suspect I need is
    MG> HTTP/webtest.nulcollege.ac.uk at DOMAIN.AC.UK (which is the service
    MG> principle mapped to the user account on the domain.ac.uk AD
    MG> domain), along with HTTP/webtest.nulcollege.ac.uk at NULCOLLEGE.AC.UK
    MG> (which is the equivalent on the nulcollege.ac.uk AD domain, and
    MG> also I believe is the principle that the server is expecting).
    MG> However, when I enter either the full
    MG> HTTP/webtest.nulcollege.ac.uk at DOMAIN.AC.UK I get the first error
    MG> message, and when I enter HTTP/webtest.nulcollege.ac.uk I get the
    MG> second one.

    MG> Can someone tell me where I'm going wrong with this directive?
    MG> Any examples for entries that actually work?  Would I be better of
    MG> just mapping a new service principle such as
    MG> www/webtest.nulcollege.ac.uk at DOMAIN.AC.UK on the domain.ac.uk AD
    MG> domain to avoid having two service principles starting with the
    MG> same string?

    MG> Thanks in advance for any advice given.

    MG> Martin Goldstone | IT Technician Newcastle-under-Lyme College,
    MG> Staffordshire, ST5 2DF 01782 254307 | martin.goldstone at nulc.ac.uk


    MG> ________________________________________________ Kerberos mailing
    MG> list Kerberos at mit.edu
    MG> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list