Tuomas tuomaksen.spammiposti at gmail.com
Tue Sep 16 16:15:04 EDT 2008

Michael B Allen wrote:
> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
> <tuomaksen.spammiposti at gmail.com> wrote:
>> I also found out using wireshark what Internet Explorer does when it
>> fails to authenticate using Kerberos. It asks a ticket from the Active
>> Directory server for HTTP/virtualhost.domain.com instead of
>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
>> anyone found solutions for this?
> That's not a bug. You will need to add SPNs to the desired account
> (using setspn) for each virtual hostname.

I see, just can't understand why this is happening occasionally. At 
least it makes things harder.

Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still 
didn't work as they should. Now i apache's error.log I get:
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code 
may provide more information (Key table entry not found)

I understand that I should have also virtualhost.domain.com defined in 
my keytab, just don't have any idea how to do that.

Thanks for all the help!

More information about the Kerberos mailing list