I finally could look more into Windows 2008 and I found some unusal behaviour. Firstly you need hotfix 951191 and possibly

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
"KdcUseRequestedEtypesForTickets"=dword:00000001

Secondly it looks like 2008 creates the HTTP principal out of a host principal ( see my posts on the MIT Kerberos mailing list). The work around I got is:

use msktutil


msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k /etc/krb5.keytab --computer-name squid-host --upn host/<fqdn> --server <domain controller> --verbose --enctypes 28

delete any AD entry for HTTP/<fqdn>

Then use ktutil (for MIT Kerberos)

#ktutil:  addent -key -p HTTP/<fqdn>@DOMAIN -k 2 -e aes256-cts-hmac-sha1-96
Key for HTTP/<fqdn>@DOMAIN  (hex):
3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
ktutil:  wkt  /etc/krb5.keytab
ktutil:  quit

where the key is the same key as the host key which you can get with klist -ekKt /etc/krb5.keytab

klist -ekKt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (ArcFour with HMAC/md5) (0x824b609421c13ca9f6f0faf93163fe7a) 2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-128 CTS mode with 96-bit SHA-1 HMAC) (0x700fd54f1d4ec2cd379d239f056235b3) 2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0x3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03)

I would appreciate if someone could confirm/deny this.

Regards
Markus



Reply via email to