Hi Bilal,
Good to hear you've pin-pointed the problem. I'm not one hundred percent sure on all the answers to your questions, but I'll throw in my 10 cents.. It's all a learning curve!
I've just created a new computer account using msktuil and I specified the SPN as HTTP/FuNnYName.{domain}. Checking ADSI showed that the SPN was entered: HTTP/funnyname.{domain}. It was converted into lowercase.
With regards to the UPN, it depends on how it's being used. By default you won't be using it I believe if you are just using it for the standard kerb authentication.. However, I was playing around with the squid_kerb_ldap external acl the other day and my experience was that a UPN was required - but not with the UPN specified as HTTP... Do a search on the list for my problem with it (post is titled 'Squid_ldap_kerb make'). Not exactly and answer but my own experience..
Re: SPN attribute and realms - I'm not sure on this.. Other than the way a computer account and user account differs in authenticating Kerberos.
As for the multiple SPNs in one account... That's up to you. I haven't tried it but I guess you could do it. As you know you can authenticate against an account providing there is an SPN... Is there a chance your keytab would get out of sync for either? If it broke both wouldn't work..
Nick
On 21/04/2010 11:36, "GIGO ." <gigoz_at_msn.com> wrote:
Dear Markus/Nick/All,
After a great struggle and help (i got from you people)i was managed to resolve the issue however i have few confusions which i wish you to ask please.
1. First of all I traced down my problem to SPN Names casesensitivity the case for ServicePrincipalName attribute as seen through ADSIEDIT.msc tool was different from the value my klist -ke was showing.
According to ASIedit.msc:
servicePrincipalName == HTTP/squidlhrtest.v.local
userPrinciapalName == HTTP/squidlhrtest.v.local_at_V.local
Where as klisting the SPN as stored in my keytab:
2 HTTP/squidLhrTest.v.local_at_V.LOCAL (DES cbc mode with CRC-32)
2 HTTP/squidLhrTest.v.local_at_V.LOCAL (DES cbc mode with RSA-MD5)
2 HTTP/squidLhrTest.v.local_at_V.LOCAL (ArcFour with HMAC/md5)
After diagnosing the problem i tried recreation of keytab/spn through msktutil utility however in no benefit. But Then i changed my hostname(squidmachines') all to lowercase and recreated the keytab and it worked. I confirmed that it matched the one as stored in the Active Directory. kerberos/negotiate was working. Although i have studied that microsoft spn is case insensitive but does this also mean that microsoft will always store spn in lower case no matter how you have given name in your msktutil command?
Second thing is that what is the role of upn here? I mean why a upn is required when created SPN with computer objects? I can understand that its some kind of linkage but i am not sure and clear about the purpose ?
Also why SPNattribute has no realm name appended in the output while upn has a realm name appended in the output when seeing it through ADSIEDIT.msc.
Another question is that as i am using SARG configured with Apache i am looking forward to SSO apache also with kerberos. Now the keytab/spn for squid sso is already here created as :
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
Right now to my understanding a keytab can have keys from multiple services so this means that i can have the same keytab used for squid & Apache both ? For example i think the following command will append the keytab file with the following new keys. I guess that only computer-name is to be changed and the rest of the same command will do as far as the keytab creation is concerned. (apache specific settings is a seperate story which is definately out of scope here)
The command to my understanding which will append keys to be used by Apache:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name apache-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
But why not apache and squid should share a single keytab? as after all they are both HTTP in the end. Isnt creating a seperate key/spn for apache be redundant or it is must?
Another somewhat similar question is that My active Directory setup has a single forest with one Parent A wand two childs B and childs C. The internet users are only in childs A and B. What would be the way to handle SSO. I have not much clarity can anybody please advice? .......................How Would i be pointing to the multiple realms? would i b duplicate exact setup which i have done for 1 domain and somehow(i am unclear) somehow update squid accordingly?
Please i would be real thankful to all of you for guidance/help.
best regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
Received on Wed Apr 21 2010 - 11:20:08 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 21 2010 - 12:00:05 MDT