Hi James,
The issue you have might be related to:
The <computer-name> has Windows Netbios limitations of 15 characters (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )
3MSYDPROXY01-HTTP is 17 characters long and 3MSYDPROXY01 is 12 characters
long. Can you choose a shorter one and try again ?As said the computer name
is just a name in AD to identify the object.
Markus
"James Robertson" <[email protected]> wrote in message
news:camaloy8p6zj0tfjr3twz27_zwckb1xd4e-d9b5f0cn794k+...@mail.gmail.com...
BTW Why do you want to reset the account in AD ? I don't see any reason.
I work with some Engineers that won't have a clue about how the proxy
integrates in AD and although unlikely, if they do reset the
<fqdn>-http account for any reason msktutil --auto-update will not
automatically resolve the issue and I will have to manually kinit
administrator and then run msktutil --auto-update to resolve it. If I
am not available this will be a problem. I can document what to do
(which is not hard) but frankly I do not have enough confidence they
would follow the instructions... sad I know.
from --auto-update in the msktutil man page:
...Will also update if the keytab failed to authenticate but the
default password did work. (e.g. after resetting the account in AD)...
This works with the <fqdn> but fails when using <fqdn>-http. So
although minor, it looks like a possible bug in msktutil, but I am not
sure.
I understand the point of having 2 different accounts in AD (thanks
for that) and will just use <fqdn>-http for kerberos and advise the
guys to never reset the account and hope they remember.
Thank you for your time with this Markus, I appreciate it.
James
