Re: [squid-users] Creating a kerberos Service Principal.
Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . gi...@msn.com: Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] Creating a kerberos Service Principal.
I forgot this link to an Example configuration: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 2010/4/8 Khaled Blah khaled.b...@googlemail.com: Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it. Thus, msktutil saves you some time and hassle. AFAIR both need Administrator rights, which means the account used for ktpass/msktutil needs to be a member of the Administrator group. 2. To answer this question, one would need more information about your network and your setup. Basically, mixing any other authentication method with Kerberos is not a good idea. That's because if the other method is insecure or less secure an attacker who gains access to a user's credentials will be able to impersonate that user against Kerberos and those be able to use ALL services that this user has access to. In any case DO NOT use basic auth with Kerberos in a public, set-up. That's a recipe for disaster. Digest auth and NTLM (v2) might be suitable but these are in fact less secure than Kerberos and thus not preferrable. One down-side to Kerberos is that it's an all-or-nothing service, either you use Kerberos and only Kerberos or you risk security breaches in any mixed situation. HTH Khaled 2010/4/6 GIGO . gi...@msn.com: Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Creating a kerberos Service Principal.
Dear All, Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. regards, Bilal Aslam _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
