Re: Failed to set property 'servicePrincipalName' to 'HTTP/...
6,527 views
Skip to first unread message
Rafael Akchurin
Jun 15, 2017, 3:30:08 AM6/15/17
to web-s...@googlegroups.com
Hello Pablo,
Are you using Active Directory or Samba 4?
The part after HTTP/ but before @ need to be lowercase I think - could you try?
Best regards,
Best regards,
Rafael Akchurin
Hi group,--
When i am trying to create a keytab using the command:
ktpass -princ HTTP/XY-ATPR01....@DOMINIO.COM -mapuser us...@DOMINIO.COM -crypto rc4-hmac-nt -pass unpasss -ptype KRB5_NT_PRINCIPAL -out krb5_pxy.keytab
I always get this answer:
Failed to set property 'servicePrincipalName' to 'HTTP...
I am using the Administrator account.
I have been spending a lot of time on this. I will appreciate your help.
Pablo
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pablo Tamayo
Jun 16, 2017, 12:47:34 PM6/16/17
to Diladele Web Safety
Hi Rafael,
I apreciate your reply.
Are you using Active Directory or Samba 4?
Active Directory 2012
The part after HTTP/ but before @ need to be lowercase I think - could you try?
I have try that. But still the same message.
:(
Thanks
El jueves, 15 de junio de 2017, 2:30:08 (UTC-5), Rafael Akchurin escribió:
Hello Pablo,
Are you using Active Directory or Samba 4?The part after HTTP/ but before @ need to be lowercase I think - could you try?
Best regards,Rafael Akchurin
Hi group,
When i am trying to create a keytab using the command:
ktpass -princ HTTP/XY-ATPR0...@DOMINIO.COM -mapuser us...@DOMINIO.COM -crypto rc4-hmac-nt -pass unpasss -ptype KRB5_NT_PRINCIPAL -out krb5_pxy.keytab
I always get this answer:
Failed to set property 'servicePrincipalName' to 'HTTP...
I am using the Administrator account.
I have been spending a lot of time on this. I will appreciate your help.
Pablo
rafael....@diladele.com
Jun 17, 2017, 6:09:24 AM6/17/17
to Diladele Web Safety
Hello Pablo,
Could you dump the contents of the squid user LDAP properties using ldp.exe or ADSIedit and send them here or at sup...@diladele.com?
The "failed to set the property" is indeed the error but what is the *numeric* output after this message? May it be 5 for example (access denied)?
Best regards,
Rafael
Could you dump the contents of the squid user LDAP properties using ldp.exe or ADSIedit and send them here or at sup...@diladele.com?
The "failed to set the property" is indeed the error but what is the *numeric* output after this message? May it be 5 for example (access denied)?
Best regards,
Rafael
Pablo Tamayo
Jun 19, 2017, 7:13:18 PM6/19/17
to Diladele Web Safety
Hi Rafael,
I will sent the contents of squid user tomorrow.
The "failed to set the property" is indeed the error but what is the *numeric* output after this message? May it be 5 for example (access denied)?
Using legacy password setting method
Failed to set property 'servicePrincipalName' to 'HTTP/UIOMATRV-ATPR01.xxx.xxx.com' on Dn 'CN=Angulo T. Pedro,OU=Usuarios de Servicios,OU=Usuarios,OU=organizacion,OU=_Empresarial,DC=xxx,DC=xxx,DC=com': 0x13.
WARNING: Unable to set SPN mapping data.
thanks again
rafael....@diladele.com
Jun 20, 2017, 3:01:18 AM6/20/17
to Diladele Web Safety
Hello Pablo,
May it be you have UAC enabled on your server by any chance?
See the discussion at https://social.technet.microsoft.com/Forums/systemcenter/en-US/9790b84c-edaf-4228-83be-85a3a6a6d8fd/while-executing-the-ktpass-command-warning-unable-to-set-spn-mapping-data-appeared?forum=winserverDS
Also pay attention you are Domain/Enterprse Admin
Raf
May it be you have UAC enabled on your server by any chance?
See the discussion at https://social.technet.microsoft.com/Forums/systemcenter/en-US/9790b84c-edaf-4228-83be-85a3a6a6d8fd/while-executing-the-ktpass-command-warning-unable-to-set-spn-mapping-data-appeared?forum=winserverDS
Also pay attention you are Domain/Enterprse Admin
Raf
Pablo Tamayo
Jun 20, 2017, 6:49:50 PM6/20/17
to Diladele Web Safety
Hello Rafael,
I appreciate your help. The reading gide me to the solution. This was the problem:
It there is other user with a mapping, the comand fail.
setspn -l auser, to find the mapping that is affecting.
When i find it, I delete it with:
setspn -D HTTP/host.dominio.com auser
After that, when I execute the ktpass everithing is find.
Thanks for the suppport.
rafael....@diladele.com
Jun 21, 2017, 3:00:01 AM6/21/17
to Diladele Web Safety
Thanks Pablo,
Added a warning about this to https://docs.diladele.com/administrator_guide_5_1/active_directory/kerberos/keytab.html
Hopefully this will help others with the same error in future.
Best regards,
Rafael
Added a warning about this to https://docs.diladele.com/administrator_guide_5_1/active_directory/kerberos/keytab.html
Hopefully this will help others with the same error in future.
Best regards,
Rafael
Message has been deleted
Van Nguyen Khoa
Jun 22, 2018, 5:29:33 AM6/22/18
to Diladele Web Safety
hi Rafael,
i followed your instruction. then Kerberos Authenticator is successfull but i have this message at the end
Active Directory KVNO keytab check result (looking up of msDS-KeyVersionNumber value in LDAP).
Cannot find msDS-KeyVersionNumber attribute in LDAP search result {}
My DC is running in : Windows Server 2012 R2 Standard x64-bit
i am not sure about the message. is that ok or not?
Rafael Akchurin
Jun 22, 2018, 5:38:48 AM6/22/18
to web-s...@googlegroups.com
Hello Van,
This error may indicate the user that you use to integrate with the AD does not have rights to lookup that attribute. Could you try specifying there the administrator user? And see if it starts working? If yes – we will need to think more.
Another possibility – in 6.3 we have improved the debug testing in that area – so if you could deploy it and try? Send me the output of the Test Connection button in UI / Squid / Auth / AD Integration. Please direct it to sup...@diladele.com – as the output may contain sensitive info.
Best regards,
Rafael
--
Van Nguyen Khoa
Jun 25, 2018, 11:10:23 PM6/25/18
to web-s...@googlegroups.com
hi Rafael,
I used domain Administrator account in this case.
for SPN, I used cscript to check on DC.
CN=HVSQUID02,OU=Linux,OU=PROD,OU=Servers,DC=FUSHAN,DC=fihnbb,DC=com
Class: computer
Computer DNS: hvsquid02.fushan.fihnbb.com
-- HTTP/hvsquid02
-- HOST/hvsquid02.fushan.fihnbb.com
-- HOST/HVSQUID02
Class: computer
Computer DNS: hvsquid02.fushan.fihnbb.com
-- HTTP/hvsquid02
-- HOST/hvsquid02.fushan.fihnbb.com
-- HOST/HVSQUID02
CN=Administrator,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com
Class: user
User Logon: Administrator
-- HTTP/hvsquid02.fushan.fihnbb.com
Class: user
User Logon: Administrator
-- HTTP/hvsquid02.fushan.fihnbb.com
is that ok if I have both 2 class: user and computer?
and, where is access.log. I check Web UI / Squid / Logs / Access Logs. here is result. Requested log file is empty.
I also check /var/logs/squid/access.log. file is empty also.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+unsubscribe@googlegroups.com.
Rafael Akchurin
Jun 26, 2018, 4:37:55 PM6/26/18
to web-s...@googlegroups.com
Hello Van,
I was referring to output of pages in UI / Squid / Auth / AD / Test Connection.
May it be you are running this on pfsense (these pages are hidden on pfsense as we do not manage it on that platform).
Raf
From: web-s...@googlegroups.com <web-s...@googlegroups.com>
On Behalf Of Van Nguyen Khoa
Sent: Tuesday, 26 June 2018 05:10
To: web-s...@googlegroups.com
Subject: Re: Failed to set property 'servicePrincipalName' to 'HTTP/...
hi Rafael,
I used domain Administrator account in this case.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
Van Nguyen Khoa
Jun 26, 2018, 9:15:16 PM6/26/18
to web-s...@googlegroups.com
hi Rafael,
Here is output.
uccess!
LDAP test completed successfully with the following results. Do not forget to Apply New Settings and Restart the ICAP server to activate LDAP settings.
Starting LDAP Connection Test... Local time: 2018-Jun-27 08:12:25 LDAP bind info: bind_user => Admini...@fushan.fihnbb.com bind_pass => *******password base_dn => DC=FUSHAN,DC=fihnbb,DC=com LDAP connection info: cacert => connect as => simple LDAP (unencrypted, not secure) Testing LDAP connection to 1st LDAP server: host => hvfdc01.fushan.fihnbb.com port => 389 timeout => 10 seconds Trying to search for a user in the LDAP directory with the following info: Attribute name(s): sAMAccountName,userPrincipalName,primaryGroupId,memberOf Search filter: (|(userPrincipalName=Admini...@fushan.fihnbb.com)(sAMAccountName=Administrator)) -------------------------------------------------- SUCCESS: User is found in the LDAP directory! -------------------------------------------------- Found the following LDAP attributes: Entry (0) DistinguishedName: CN=Administrator,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com Attributes : memberOf CN=HVFDC02 $ Acronis Remote Users,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Group Policy Creator Owners,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Enterprise Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Schema Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Domain Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Administrators,CN=Builtin,DC=FUSHAN,DC=fihnbb,DC=com primaryGroupID => 513 sAMAccountName => Administrator userPrincipalName => HTTP/hvsquid02.fus...@FUSHAN.FIHNBB.COM SUCCESS: Successfully connected to 1st LDAP server! Testing LDAP connection to 2nd LDAP server: host => hvfdc02.fushan.fihnbb.com port => 389 timeout => 10 seconds Trying to search for a user in the LDAP directory with the following info: Attribute name(s): sAMAccountName,userPrincipalName,primaryGroupId,memberOf Search filter: (|(userPrincipalName=Admini...@fushan.fihnbb.com)(sAMAccountName=Administrator)) -------------------------------------------------- SUCCESS: User is found in the LDAP directory! -------------------------------------------------- Found the following LDAP attributes: Entry (0) DistinguishedName: CN=Administrator,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com Attributes : memberOf CN=HVFDC02 $ Acronis Remote Users,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Administrators,CN=Builtin,DC=FUSHAN,DC=fihnbb,DC=com CN=Domain Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Enterprise Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Schema Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Group Policy Creator Owners,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com primaryGroupID => 513 sAMAccountName => Administrator userPrincipalName => HTTP/hvsquid02.fus...@FUSHAN.FIHNBB.COM SUCCESS: Successfully connected to 2nd LDAP server! LDAP Connection Test completed Local time: 2018-Jun-27 08:12:25
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+unsubscribe@googlegroups.com.
rafael....@diladele.com
Jun 28, 2018, 3:10:00 PM6/28/18
to Diladele Web Safety
Well it seems the proxy computer joined to the domain *might* be a problem, although I am not sure.
Do you really require your proxy be part of the domain? If not, try removing the HVSQUID02 record from the AD.
Then hopefully the Kerberos check will show meaningful results.
BTW - could you also show me the lower page output at UI / Squid / Auth / AD / Kerberos?
Raf
On Wednesday, 27 June 2018 03:15:16 UTC+2, Van Nguyen Khoa wrote:
hi Rafael,Here is output.
uccess!
LDAP test completed successfully with the following results. Do not forget to Apply New Settings and Restart the ICAP server to activate LDAP settings.
Starting LDAP Connection Test... Local time: 2018-Jun-27 08:12:25 LDAP bind info: bind_user => Admini...@fushan.fihnbb.com bind_pass => *******password base_dn => DC=FUSHAN,DC=fihnbb,DC=com LDAP connection info: cacert => connect as => simple LDAP (unencrypted, not secure) Testing LDAP connection to 1st LDAP server: host => hvfdc01.fushan.fihnbb.com port => 389 timeout => 10 seconds Trying to search for a user in the LDAP directory with the following info: Attribute name(s): sAMAccountName,userPrincipalName,
primaryGroupId,memberOf Search filter: (|(userPrincipalName=Administrat...@fushan.fihnbb.com)(sAMAccountName=Administrator)) -------------------------------------------------- SUCCESS: User is found in the LDAP directory! -------------------------------------------------- Found the following LDAP attributes: Entry (0) DistinguishedName: CN=Administrator,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com Attributes : memberOf CN=HVFDC02 $ Acronis Remote Users,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Group Policy Creator Owners,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Enterprise Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Schema Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Domain Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Administrators,CN=Builtin,DC=FUSHAN,DC=fihnbb,DC=com primaryGroupID => 513 sAMAccountName => Administrator userPrincipalName => HTTP/hvsquid02.fushan.fihnbb.c...@FUSHAN.FIHNBB.COM
SUCCESS: Successfully connected to 1st LDAP server! Testing LDAP connection to 2nd LDAP server: host => hvfdc02.fushan.fihnbb.com port => 389 timeout => 10 seconds Trying to search for a user in the LDAP directory with the following info: Attribute name(s): sAMAccountName,userPrincipalName,
primaryGroupId,memberOf Search filter: (|(userPrincipalName=Administrat...@fushan.fihnbb.com)(sAMAccountName=Administrator)) -------------------------------------------------- SUCCESS: User is found in the LDAP directory! -------------------------------------------------- Found the following LDAP attributes: Entry (0) DistinguishedName: CN=Administrator,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com Attributes : memberOf CN=HVFDC02 $ Acronis Remote Users,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Administrators,CN=Builtin,DC=FUSHAN,DC=fihnbb,DC=com CN=Domain Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Enterprise Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Schema Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Group Policy Creator Owners,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com primaryGroupID => 513 sAMAccountName => Administrator userPrincipalName => HTTP/hvsquid02.fushan.fihnbb.c...@FUSHAN.FIHNBB.COM
Van Nguyen Khoa
Jul 4, 2018, 3:44:03 AM7/4/18
to web-s...@googlegroups.com
hi Rafael,
I also have problem with Lync / Skype for Business.
Skype can not connect through Squid. can you give me solution?
C=FUSHAN,DC=fihnbb,DC=com primaryGroupID => 513 sAMAccountName => Administrator userPrincipalName => HTTP/hvsquid02.fushan.fihnbb.co...@FUSHAN.FIHNBB.COM
SUCCESS: Successfully connected to 1st LDAP server! Testing LDAP connection to 2nd LDAP server: host => hvfdc02.fushan.fihnbb.com port => 389 timeout => 10 seconds Trying to search for a user in the LDAP directory with the following info: Attribute name(s): sAMAccountName,userPrincipalName,primaryGroupId,memberOf Search filter: (|(userPrincipalName=Administrat...@fushan.fihnbb.com)(sAMAccountName=Administrator)) -------------------------------------------------- SUCCESS: User is found in the LDAP directory! -------------------------------------------------- Found the following LDAP attributes: Entry (0) DistinguishedName: CN=Administrator,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com Attributes : memberOf CN=HVFDC02 $ Acronis Remote Users,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Administrators,CN=Builtin,DC=FUSHAN,DC=fihnbb,DC=com CN=Domain Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Enterprise Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Schema Admins,CN=Users,DC=FUSHAN,DC=fihnbb,DC=com CN=Group Policy Creator Owners,CN=Users,DC=FUSHAN,DC=f
ihnbb,DC=com primaryGroupID => 513 sAMAccountName => Administrator userPrincipalName => HTTP/hvsquid02.fushan.fihnbb.co...@FUSHAN.FIHNBB.COM
Rafael Akchurin
Jul 4, 2018, 4:00:14 AM7/4/18
to web-s...@googlegroups.com
Hello Van,
Skype is a pain. Current recommended instructions are at https://docs.diladele.com/faq/squid/sslbump_exlusions/skype.html
Best regards,
Rafael Akchurin
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages