msktutil HTTP service principal ticket help
Dan Searle
dan.searle at censornet.com
Wed Sep 30 05:23:09 EDT 2009
Hi,
I'm new to Kerberos and don't fully appreciate it's complexities so
please excuse my ignorance.
I'm using msktutil to create a service principal for authenticating
users of a squid proxy server with Active Directory (server version 2008
R2) using the Negotiate (Kerberos) method.
This all works fine, however I'm at a loss as to whether I should be or
need to periodically refresh (update) the HTTP service principal keytab.
I have had some instances where the keytab generated by msktutil
seemingly works indefinably (for days at a time) without the need to
refresh the keytab. However, in other instances (different AD servers),
after a while (a few hours or days) the authentication stops working and
I have to refresh (update) the keytab using msktutil again. In the
failed instances, I use the squid negotiate auth test program, then run
the token through the squid helper process and I get an error similar
to: Token header is malformed or corrupt.
Why is this? Should the service principal keys in a keytab file last
forever? What settings in AD would effect this?
Regards, Dan...
--
Dan Searle
CensorNet Ltd - professional & affordable Web & E-mail filtering
email: dan.searle at censornet.com web: www.censornet.com
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.
CensorNet Ltd is a registered company in England & Wales No. 05518629
VAT registration number 901-2048-78
Any views expressed in this email communication are those of the
individual sender, except where the sender specifically states them to
be the views of a member of Censornet Ltd. Censornet Ltd. does not
represent, warrant or guarantee that the integrity of this
communication has been maintained nor that the communication is free of
errors or interference.
------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe
Try CensorNet free for 14 days. Provide Internet access on your terms.
Visit www.censornet.com for more information.
More information about the Kerberos
mailing list