Service Principals for different account

Nick Cairncross Nick.Cairncross at condenast.co.uk
Fri Apr 16 07:55:48 EDT 2010


Hi All,

I decided to ask the question here instead of the Squid mailing list as it's more relevant here.

My scenario is this: I want to use Kerberos authentication for users connecting to my squid proxy server. If I join my machine to the domain and use samba to generate a keytab file (net ads keytab create etc), all my Kerberos authentication works ok - SPN is created on the Host account in adsiedit etc. However I would like to use a 'dummy' computer account for the HTTP service to authenticate against and therefore I need to use msktutil.

If my physical host is call proxy1 and the dummy account is called auth1 then I think I should run the following command:

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.[mydomain] -h proxy1.[mydomain] -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/proxy1.[mydomain] --server bnd-dc4 -verbose

This give a HTTP.keytab:
2 HTTP/proxy1.[mydomain]@[MYDOMAIN]
2 HTTP/proxy1.[mydomain]@[MYDOMAIN]
2 HTTP/proxy1.[mydomain]@[MYDOMAIN]

And ADSIedit shows for auth1:
HTTP/proxy1.[mydomain] for the SPN and UPN

However, my logs for squid indicate the following after I point myself to proxy1. I am prompted for authentication:

2010/04/16 12:46:14| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No principal in keytab matches desired name

What have I done wrong? My msktutil commands must be wrong?

Thanks in advance,
Nick


** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee.  If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful.  Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality.  Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message.  Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900




More information about the Kerberos mailing list