Hi Bilal,
Good to hear you've pin-pointed the problem. I'm not one hundred percent sure
on all the answers to your questions, but I'll throw in my 10 cents.. It's all
a learning curve!
I've just created a new computer account using msktuil and I specified the SPN
as HTTP/FuNnYName.{domain}. Checking ADSI showed that the SPN was entered:
HTTP/funnyname.{domain}. It was converted into lowercase.
With regards to the UPN, it depends on how it's being used. By default you
won't be using it I believe if you are just using it for the standard kerb
authentication.. However, I was playing around with the squid_kerb_ldap
external acl the other day and my experience was that a UPN was required - but
not with the UPN specified as HTTP... Do a search on the list for my problem
with it (post is titled 'Squid_ldap_kerb make'). Not exactly and answer but my
own experience..
Re: SPN attribute and realms - I'm not sure on this.. Other than the way a
computer account and user account differs in authenticating Kerberos.
As for the multiple SPNs in one account... That's up to you. I haven't tried it
but I guess you could do it. As you know you can authenticate against an
account providing there is an SPN... Is there a chance your keytab would get
out of sync for either? If it broke both wouldn't work..
Nick
On 21/04/2010 11:36, "GIGO ." <[email protected]> wrote:
Dear Markus/Nick/All,
After a great struggle and help (i got from you people)i was managed to resolve
the issue however i have few confusions which i wish you to ask please.
1. First of all I traced down my problem to SPN Names casesensitivity the case
for ServicePrincipalName attribute as seen through ADSIEDIT.msc tool was
different from the value my klist -ke was showing.
According to ASIedit.msc:
servicePrincipalName == HTTP/squidlhrtest.v.local
userPrinciapalName == HTTP/[email protected]
Where as klisting the SPN as stored in my keytab:
2 HTTP/[email protected] (DES cbc mode with CRC-32)
2 HTTP/[email protected] (DES cbc mode with RSA-MD5)
2 HTTP/[email protected] (ArcFour with HMAC/md5)
After diagnosing the problem i tried recreation of keytab/spn through msktutil
utility however in no benefit. But Then i changed my hostname(squidmachines')
all to lowercase and recreated the keytab and it worked. I confirmed that it
matched the one as stored in the Active Directory. kerberos/negotiate was
working. Although i have studied that microsoft spn is case insensitive but
does this also mean that microsoft will always store spn in lower case no
matter how you have given name in your msktutil command?
Second thing is that what is the role of upn here? I mean why a upn is required
when created SPN with computer objects? I can understand that its some kind of
linkage but i am not sure and clear about the purpose ?
Also why SPNattribute has no realm name appended in the output while upn has a
realm name appended in the output when seeing it through ADSIEDIT.msc.
Another question is that as i am using SARG configured with Apache i am looking
forward to SSO apache also with kerberos. Now the keytab/spn for squid sso is
already here created as :
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h
squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
Right now to my understanding a keytab can have keys from multiple services so
this means that i can have the same keytab used for squid & Apache both ? For
example i think the following command will append the keytab file with the
following new keys. I guess that only computer-name is to be changed and the
rest of the same command will do as far as the keytab creation is concerned.
(apache specific settings is a seperate story which is definately out of scope
here)
The command to my understanding which will append keys to be used by Apache:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h
squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name apache-http
--upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
But why not apache and squid should share a single keytab? as after all they
are both HTTP in the end. Isnt creating a seperate key/spn for apache be
redundant or it is must?
Another somewhat similar question is that My active Directory setup has a
single forest with one Parent A wand two childs B and childs C. The internet
users are only in childs A and B. What would be the way to handle SSO. I have
not much clarity can anybody please advice? .......................How Would i
be pointing to the multiple realms? would i b duplicate exact setup which i
have done for 1 domain and somehow(i am unclear) somehow update squid
accordingly?
Please i would be real thankful to all of you for guidance/help.
best regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be unlawful.
Disclosure to any party other than the addressee, whether inadvertent or
otherwise, is not intended to waive privilege or confidentiality. Internet
communications are not secure and therefore Conde Nast does not accept legal
responsibility for the contents of this message. Any views or opinions
expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
