msktutil HTTP service principal ticket help

Dan Searle dan.searle at
Wed Sep 30 05:23:09 EDT 2009


I'm new to Kerberos and don't fully appreciate it's complexities so 
please excuse my ignorance.

I'm using msktutil to create a service principal for authenticating 
users of a squid proxy server with Active Directory (server version 2008 
R2) using the Negotiate (Kerberos) method.

This all works fine, however I'm at a loss as to whether I should be or 
need to periodically refresh (update) the HTTP service principal keytab.

I have had some instances where the keytab generated by msktutil 
seemingly works indefinably (for days at a time) without the need to 
refresh the keytab. However, in other instances (different AD servers), 
after a while (a few hours or days) the authentication stops working and 
I have to refresh (update) the keytab using msktutil again. In the 
failed instances, I use the squid negotiate auth test program, then run 
the token through the squid helper process and I get an error similar 
to: Token header is malformed or corrupt.

Why is this? Should the service principal keys in a keytab file last 
forever? What settings in AD would effect this?

Regards, Dan...


Dan Searle

CensorNet Ltd - professional & affordable Web & E-mail filtering
email: dan.searle at web:
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.

CensorNet Ltd is a registered company in England & Wales No. 05518629
VAT registration number 901-2048-78
Any views expressed in this email communication are those of the
individual sender, except where the sender specifically states them to
be the views of a member of Censornet Ltd. Censornet Ltd. does not
represent, warrant or guarantee that the integrity of this
communication has been maintained nor that the communication is free of
errors or interference.

Scanned for viruses, spam and offensive content by CensorNet MailSafe

Try CensorNet free for 14 days. Provide Internet access on your terms.
Visit for more information.

More information about the Kerberos mailing list