Dear Markus/Nick/All,
After a great struggle and help (i got from you people)i was managed to resolve
the issue however i have few confusions which i wish you to ask please.
1. First of all I traced down my problem to SPN Names casesensitivity the case
for ServicePrincipalName attribute as seen through ADSIEDIT.msc tool was
different from the value my klist -ke was showing.
According to ASIedit.msc:
servicePrincipalName == HTTP/squidlhrtest.v.local
userPrinciapalName == HTTP/[email protected]
Where as klisting the SPN as stored in my keytab:
2 HTTP/[email protected] (DES cbc mode with CRC-32)
2 HTTP/[email protected] (DES cbc mode with RSA-MD5)
2 HTTP/[email protected] (ArcFour with HMAC/md5)
After diagnosing the problem i tried recreation of keytab/spn through msktutil
utility however in no benefit. But Then i changed my hostname(squidmachines')
all to lowercase and recreated the keytab and it worked. I confirmed that it
matched the one as stored in the Active Directory. kerberos/negotiate was
working. Although i have studied that microsoft spn is case insensitive but
does this also mean that microsoft will always store spn in lower case no
matter how you have given name in your msktutil command?
Second thing is that what is the role of upn here? I mean why a upn is required
when created SPN with computer objects? I can understand that its some kind of
linkage but i am not sure and clear about the purpose ?
Also why SPNattribute has no realm name appended in the output while upn has a
realm name appended in the output when seeing it through ADSIEDIT.msc.
Another question is that as i am using SARG configured with Apache i am looking
forward to SSO apache also with kerberos. Now the keytab/spn for squid sso is
already here created as :
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h
squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
Right now to my understanding a keytab can have keys from multiple services so
this means that i can have the same keytab used for squid & Apache both ? For
example i think the following command will append the keytab file with the
following new keys. I guess that only computer-name is to be changed and the
rest of the same command will do as far as the keytab creation is concerned.
(apache specific settings is a seperate story which is definately out of scope
here)
The command to my understanding which will append keys to be used by Apache:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h
squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name apache-http
--upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
But why not apache and squid should share a single keytab? as after all they
are both HTTP in the end. Isnt creating a seperate key/spn for apache be
redundant or it is must?
Another somewhat similar question is that My active Directory setup has a
single forest with one Parent A wand two childs B and childs C. The internet
users are only in childs A and B. What would be the way to handle SSO. I have
not much clarity can anybody please advice? .......................How Would i
be pointing to the multiple realms? would i b duplicate exact setup which i
have done for 1 domain and somehow(i am unclear) somehow update squid
accordingly?
Please i would be real thankful to all of you for guidance/help.
best regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
