This is a discussion on RE: Problem using KrbServiceName - Kerberos ; By the way, I'm using 5.0rc6. Do you know of a version which definitely supported fully qualified principals? Could it be down to something else rather than the version of mod_auth_kerb? Martin Goldstone |*IT Technician Newcastle-under-Lyme College, Staffordshire, ST5 2DF ...
By the way, I'm using 5.0rc6. Do you know of a version which definitely supported fully qualified principals? Could it be down to something else rather than the version of mod_auth_kerb?
Martin Goldstone |*IT Technician
Newcastle-under-Lyme College, Staffordshire, ST5 2DF
01782 254307*| firstname.lastname@example.org
From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Richard E. Silverman
Sent: 23 May 2006 06:47
Subject: Re: Problem using KrbServiceName
>>>>> "MG" == "Martin Goldstone"
Why do you have two different principals for this service? There should
be only one, and in fact there *can* be only one, since mod_auth_kerb will
only take one as its identity (and report "wrong principal in request" if
a client uses the wrong one).
As for "hostname cannot be canonicalized," check the version of
mod_auth_kerb you're running -- I think using a fully-qualified principal
was added later on.
MG> Hi, I'm getting further along with my problem, and I think its
MG> coming down to the fact that we've got 2 AD domains here.
MG> Right now, I'm having problems using the KrbServiceName directive
MG> in .htaccess.
MG> I've had to get two different principles mapped to user accounts
MG> and put in the keytab (one for each AD domain) using ktpass.exe,
MG> and now my machine is getting a ticket for the service principle
MG> for the webserver (as shown by kerbtray.exe). However, the error
MG> log on the webserver is telling me "Wrong principal in request".
MG> I've tried adding a KrbServiceName directive, but I consistently
MG> get an error message that reads "Hostname cannot be canonicalized"
MG> if I include the realm, or "No principal in keytab matches desired
MG> name" if I don't. What I suspect I need is
MG> HTTP/webtest.nulcollege.ac.uk@DOMAIN.AC.UK (which is the service
MG> principle mapped to the user account on the domain.ac.uk AD
MG> domain), along with HTTP/webtest.nulcollege.ac.uk@NULCOLLEGE.AC.UK
MG> (which is the equivalent on the nulcollege.ac.uk AD domain, and
MG> also I believe is the principle that the server is expecting).
MG> However, when I enter either the full
MG> HTTP/webtest.nulcollege.ac.uk@DOMAIN.AC.UK I get the first error
MG> message, and when I enter HTTP/webtest.nulcollege.ac.uk I get the
MG> second one.
MG> Can someone tell me where I'm going wrong with this directive?
MG> Any examples for entries that actually work? Would I be better of
MG> just mapping a new service principle such as
MG> www/webtest.nulcollege.ac.uk@DOMAIN.AC.UK on the domain.ac.uk AD
MG> domain to avoid having two service principles starting with the
MG> same string?
MG> Thanks in advance for any advice given.
MG> Martin Goldstone |Â*IT Technician Newcastle-under-Lyme College,
MG> Staffordshire, ST5 2DF 01782 254307Â*| email@example.com
MG> ________________________________________________ Kerberos mailing
MG> list Kerberos@mit.edu
Kerberos mailing list Kerberos@mit.edu