[mod_auth_kerb] Use of Kerberos with multiple vhost

Yves-Alexis Perez corsac at corsac.net
Fri Apr 24 09:07:06 EDT 2009


On jeu, 2009-04-23 at 16:16 +0200, Yves-Alexis Perez wrote:
> fqdn.example.net has a correct reverse while vhost.example.net doesn't,
> but forcing it in the various /etc/hosts involved doesn't work.
> 
> Looking at the logs it seems that firefox and internet explorer don't
> even try to start to negociate Kerberos auth from the vhost one.
> 
> I'm wondering if I should use one principal per vhost (which doesn't
> scale very well).

I tried to create another user in AD and map the fdqn.example.net to
that user, creating another keytab. Then use that second keytab in the
vhost protection, and it worked.
So kerberos auth works fine, and the config as well. But Having to
create an user per service doesn't scale very well (especially if you
multiply the vhost number by various criticity dev/qa/test/prod/...) so
it'd be nice if I could use only one AD user per server. Having one
service principal name per server would be even better, but I guess I
could do with one SPN per vhost if I can map all of them to the same AD
user.

Any idea on how to do that?

Cheers,
-- 
Yves-Alexis




More information about the Kerberos mailing list