msktutil HTTP service principal ticket help
Dan Searle
I'm new to Kerberos and don't fully appreciate it's complexities so
please excuse my ignorance.
I'm using msktutil to create a service principal for authenticating
users of a squid proxy server with Active Directory (server version 2008
R2) using the Negotiate (Kerberos) method.
This all works fine, however I'm at a loss as to whether I should be or
need to periodically refresh (update) the HTTP service principal keytab.
I have had some instances where the keytab generated by msktutil
seemingly works indefinably (for days at a time) without the need to
refresh the keytab. However, in other instances (different AD servers),
after a while (a few hours or days) the authentication stops working and
I have to refresh (update) the keytab using msktutil again. In the
failed instances, I use the squid negotiate auth test program, then run
the token through the squid helper process and I get an error similar
to: Token header is malformed or corrupt.
Why is this? Should the service principal keys in a keytab file last
forever? What settings in AD would effect this?
Regards, Dan...
--
Dan Searle
CensorNet Ltd - professional & affordable Web & E-mail filtering
email: dan.s...@censornet.com web: www.censornet.com
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.
CensorNet Ltd is a registered company in England & Wales No. 05518629
VAT registration number 901-2048-78
Any views expressed in this email communication are those of the
individual sender, except where the sender specifically states them to
be the views of a member of Censornet Ltd. Censornet Ltd. does not
represent, warrant or guarantee that the integrity of this
communication has been maintained nor that the communication is free of
errors or interference.
------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe
Try CensorNet free for 14 days. Provide Internet access on your terms.
Visit www.censornet.com for more information.
Markus Moeller
or used in any other way ? (e.g. do you use net ads join and
msktutil --computer-name <hostname> ?) Is the kvno in AD still the same ?
Markus
"Dan Searle" <dan.s...@censornet.com> wrote in message
news:4AC3237...@censornet.com...
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
John Hefferman
To my knowledge (and after some tests), msktutil requires a separate account in active directory for each service principal needed for a machine.
For instance, if a Linux computer is going to need a host/ and a http/ service principal it would be nessesary to run msktutil twice, such as:
msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k linuxComputer.keytab --server domainControllerFqdn
msktutil -h fqdn --computer-name linux-computer-http --verbose -s http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn
I just wanted to confirm this was the case, or whether it is possible to have both host/ and http/ under the same account in AD.
Thanks in advance for any help,
John
Markus Moeller
That is correct. msktutil updates the key of the computer account. So the
second msktutil call with the same computer-name will make the first entry
invalid. But you can have host and http asssigned to the same AD account if
you use other tools like net ads join with net ads keytab.
Regards
Markus
"John Hefferman" <john.he...@cern.ch> wrote in message
news:471AD4CD1F3AC846911E...@cernxchg74.cern.ch...
Douglas E. Engert
Markus Moeller wrote:
> John,
>
> That is correct. msktutil updates the key of the computer account. So the
> second msktutil call with the same computer-name will make the first entry
> invalid. But you can have host and http asssigned to the same AD account if
> you use other tools like net ads join with net ads keytab.
You can also use the msktutil feature to have multiple entries in the same
keytab, for example principals for host and HTTP. They both have the same key
which may not be what you really want.
To do this use mutiple -s <service> options when you create the keytab and
account. Note in AD they will each have SPN, but a common UPN, in case
you want to use kinit with a keytab.
IMHO I would use separate accounts for each principal.
>
> Regards
> Markus
>
> "John Hefferman" <john.he...@cern.ch> wrote in message
> news:471AD4CD1F3AC846911E...@cernxchg74.cern.ch...
>> Dear list,
>>
>> To my knowledge (and after some tests), msktutil requires a separate
>> account in active directory for each service principal needed for a
>> machine.
>>
>> For instance, if a Linux computer is going to need a host/ and a http/
>> service principal it would be nessesary to run msktutil twice, such as:
>>
>> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k
>> linuxComputer.keytab --server domainControllerFqdn
>>
>> msktutil -h fqdn --computer-name linux-computer-http --verbose -s
>> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn
>>
>> I just wanted to confirm this was the case, or whether it is possible to
>> have both host/ and http/ under the same account in AD.
>>
>> Thanks in advance for any help,
>>
>> John
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
John Hefferman
> IMHO I would use separate accounts for each principal.
Other than only being able to kinit -k as one of the SPN's, and having to specify all SPN's if a new SPN is to be added, are there any other disadvantages to doing it this way?
Thanks again,
John
________________________________________
From: kerberos...@mit.edu [kerberos...@mit.edu] On Behalf Of Douglas E. Engert [deen...@anl.gov]
Sent: 02 October 2009 22:33
To: Markus Moeller
Cc: kerb...@mit.edu
Subject: Re: msktutil requires seperate account for each service principal?
Douglas E. Engert
John Hefferman wrote:
> Thank you both for your replies. Using msktutil with multiple -s options would probably be better.
>
>> IMHO I would use separate accounts for each principal.
>
> Other than only being able to kinit -k as one of the SPN's, and having to specify all SPN's if a new SPN is to be added, are there any other disadvantages to doing it this way?
>
Keeping the DC and the keytab in sync is the main issue.
There may be security issues, if the keytab is shared between two applications
not at the same trust level. For example if you run your HTTP server as a non-root
user for security reasons, you don't want to share the keytab with the host/fqdn
principal. And AD complicates this even more, as with RC4 the same key is used
for both. Best to use the conventional Kerberos wisdom of don't share keys
between multiple principals.
Its not hard to use msktutil in this way, just have a naming convention
for the hosts. Use the --computer-name keeping it to 19 characters or less,
all lower case. something like service-simplehostname works well.
The base does not have to be in CNu=Computers either. Work with you AD admin
on a location, and use the msktutil --base option.
--
John Hefferman
Thanks very much for your help on this.
John