msktutil HTTP service principal ticket help

Markus Moeller huaraz at
Wed Sep 30 17:40:02 EDT 2009

Is the AD account which you used for the HTTP principal used for samba too 
or used in any other way ?  (e.g. do you use net ads join and 
msktutil --computer-name <hostname> ?) Is the kvno in AD still the same ?


"Dan Searle" <dan.searle at> wrote in message 
news:4AC3237D.60001 at
> Hi,
> I'm new to Kerberos and don't fully appreciate it's complexities so
> please excuse my ignorance.
> I'm using msktutil to create a service principal for authenticating
> users of a squid proxy server with Active Directory (server version 2008
> R2) using the Negotiate (Kerberos) method.
> This all works fine, however I'm at a loss as to whether I should be or
> need to periodically refresh (update) the HTTP service principal keytab.
> I have had some instances where the keytab generated by msktutil
> seemingly works indefinably (for days at a time) without the need to
> refresh the keytab. However, in other instances (different AD servers),
> after a while (a few hours or days) the authentication stops working and
> I have to refresh (update) the keytab using msktutil again. In the
> failed instances, I use the squid negotiate auth test program, then run
> the token through the squid helper process and I get an error similar
> to: Token header is malformed or corrupt.
> Why is this? Should the service principal keys in a keytab file last
> forever? What settings in AD would effect this?
> Regards, Dan...
> -- 
> Dan Searle
> CensorNet Ltd - professional & affordable Web & E-mail filtering
> email: dan.searle at web:
> tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
> snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.
> CensorNet Ltd is a registered company in England & Wales No. 05518629
> VAT registration number 901-2048-78
> Any views expressed in this email communication are those of the
> individual sender, except where the sender specifically states them to
> be the views of a member of Censornet Ltd. Censornet Ltd. does not
> represent, warrant or guarantee that the integrity of this
> communication has been maintained nor that the communication is free of
> errors or interference.
> ------------------------------------------------------------------------------------
> Scanned for viruses, spam and offensive content by CensorNet MailSafe
> Try CensorNet free for 14 days. Provide Internet access on your terms.
> Visit for more information.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list