Dear Markus/Nick/All,
After a great struggle and help (i got from you people)i was managed to resolve the issue however i have few confusions which i wish you to ask please.
1. First of all I traced down my problem to SPN Names casesensitivity the case for ServicePrincipalName attribute as seen through ADSIEDIT.msc tool was different from the value my klist -ke was showing.
According to ASIedit.msc:
servicePrincipalName == HTTP/squidlhrtest.v.local
userPrinciapalName == HTTP/squidlhrtest.v.local_at_V.local
Where as klisting the SPN as stored in my keytab:
2 HTTP/squidLhrTest.v.local_at_V.LOCAL (DES cbc mode with CRC-32)
2 HTTP/squidLhrTest.v.local_at_V.LOCAL (DES cbc mode with RSA-MD5)
2 HTTP/squidLhrTest.v.local_at_V.LOCAL (ArcFour with HMAC/md5)
After diagnosing the problem i tried recreation of keytab/spn through msktutil utility however in no benefit. But Then i changed my hostname(squidmachines') all to lowercase and recreated the keytab and it worked. I confirmed that it matched the one as stored in the Active Directory. kerberos/negotiate was working. Although i have studied that microsoft spn is case insensitive but does this also mean that microsoft will always store spn in lower case no matter how you have given name in your msktutil command?
Second thing is that what is the role of upn here? I mean why a upn is required when created SPN with computer objects? I can understand that its some kind of linkage but i am not sure and clear about the purpose ?
Also why SPNattribute has no realm name appended in the output while upn has a realm name appended in the output when seeing it through ADSIEDIT.msc.
Another question is that as i am using SARG configured with Apache i am looking forward to SSO apache also with kerberos. Now the keytab/spn for squid sso is already here created as :
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
Right now to my understanding a keytab can have keys from multiple services so this means that i can have the same keytab used for squid & Apache both ? For example i think the following command will append the keytab file with the following new keys. I guess that only computer-name is to be changed and the rest of the same command will do as far as the keytab creation is concerned. (apache specific settings is a seperate story which is definately out of scope here)
The command to my understanding which will append keys to be used by Apache:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name apache-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose
But why not apache and squid should share a single keytab? as after all they are both HTTP in the end. Isnt creating a seperate key/spn for apache be redundant or it is must?
Another somewhat similar question is that My active Directory setup has a single forest with one Parent A wand two childs B and childs C. The internet users are only in childs A and B. What would be the way to handle SSO. I have not much clarity can anybody please advice? .......................How Would i be pointing to the multiple realms? would i b duplicate exact setup which i have done for 1 domain and somehow(i am unclear) somehow update squid accordingly?
Please i would be real thankful to all of you for guidance/help.
best regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
Received on Wed Apr 21 2010 - 10:36:32 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 21 2010 - 12:00:05 MDT