By the way, I'm using 5.0rc6. Do you know of a version which definitely supported fully qualified principals? Could it be down to something else rather than the version of mod_auth_kerb?

Martin Goldstone |*IT Technician
Newcastle-under-Lyme College, Staffordshire, ST5 2DF
01782 254307*|

-----Original Message-----
From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Richard E. Silverman
Sent: 23 May 2006 06:47
To: kerberos@MIT.EDU
Subject: Re: Problem using KrbServiceName

>>>>> "MG" == "Martin Goldstone" writes:

Why do you have two different principals for this service? There should
be only one, and in fact there *can* be only one, since mod_auth_kerb will
only take one as its identity (and report "wrong principal in request" if
a client uses the wrong one).

As for "hostname cannot be canonicalized," check the version of
mod_auth_kerb you're running -- I think using a fully-qualified principal
was added later on.

MG> Hi, I'm getting further along with my problem, and I think its
MG> coming down to the fact that we've got 2 AD domains here.

MG> Right now, I'm having problems using the KrbServiceName directive
MG> in .htaccess.

MG> I've had to get two different principles mapped to user accounts
MG> and put in the keytab (one for each AD domain) using ktpass.exe,
MG> and now my machine is getting a ticket for the service principle
MG> for the webserver (as shown by kerbtray.exe). However, the error
MG> log on the webserver is telling me "Wrong principal in request".

MG> I've tried adding a KrbServiceName directive, but I consistently
MG> get an error message that reads "Hostname cannot be canonicalized"
MG> if I include the realm, or "No principal in keytab matches desired
MG> name" if I don't. What I suspect I need is
MG> HTTP/ (which is the service
MG> principle mapped to the user account on the AD
MG> domain), along with HTTP/
MG> (which is the equivalent on the AD domain, and
MG> also I believe is the principle that the server is expecting).
MG> However, when I enter either the full
MG> HTTP/ I get the first error
MG> message, and when I enter HTTP/ I get the
MG> second one.

MG> Can someone tell me where I'm going wrong with this directive?
MG> Any examples for entries that actually work? Would I be better of
MG> just mapping a new service principle such as
MG> www/ on the AD
MG> domain to avoid having two service principles starting with the
MG> same string?

MG> Thanks in advance for any advice given.

MG> Martin Goldstone |*IT Technician Newcastle-under-Lyme College,
MG> Staffordshire, ST5 2DF 01782 254307*|

MG> ________________________________________________ Kerberos mailing
MG> list

Richard Silverman

Kerberos mailing list