Hi, I'm new to Kerberos and don't fully appreciate it's complexities so please excuse my ignorance.
I'm using msktutil to create a service principal for authenticating users of a squid proxy server with Active Directory (server version 2008 R2) using the Negotiate (Kerberos) method. This all works fine, however I'm at a loss as to whether I should be or need to periodically refresh (update) the HTTP service principal keytab. I have had some instances where the keytab generated by msktutil seemingly works indefinably (for days at a time) without the need to refresh the keytab. However, in other instances (different AD servers), after a while (a few hours or days) the authentication stops working and I have to refresh (update) the keytab using msktutil again. In the failed instances, I use the squid negotiate auth test program, then run the token through the squid helper process and I get an error similar to: Token header is malformed or corrupt. Why is this? Should the service principal keys in a keytab file last forever? What settings in AD would effect this? Regards, Dan... -- Dan Searle CensorNet Ltd - professional & affordable Web & E-mail filtering email: [email protected] web: www.censornet.com tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK. CensorNet Ltd is a registered company in England & Wales No. 05518629 VAT registration number 901-2048-78 Any views expressed in this email communication are those of the individual sender, except where the sender specifically states them to be the views of a member of Censornet Ltd. Censornet Ltd. does not represent, warrant or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors or interference. ------------------------------------------------------------------------------------ Scanned for viruses, spam and offensive content by CensorNet MailSafe Try CensorNet free for 14 days. Provide Internet access on your terms. Visit www.censornet.com for more information. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
