[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Logging in service principal



Hello,

thank you for your help. The kpass-command on Windows didn't make the link 
between the user for the service and the service-name (HTTP/...). Maybe you 
have to run the kpass-command without the "out"-parameter to do that? We 
created the link by using the graphical interface. We enabled "Advanced 
features" in the drop-down-list of the "View"-entry in the menu-bar at the 
top of the gui. I don't know the name of the gui at the moment, but the users 
are listed in it. We right-clicked on the user for the service and 
selected "Name mapping". We entered the service-name for the user and now it 
worked. There is a nice text with screenshots in the 
kerberos-documentation-part (mit-kerberos and microsoft kerberos) of the 
microsoft-site about this.

Greetings,

Michel


Op maandag 22 mei 2006 19:28, schreef Michael B Allen:
> On Mon, 22 May 2006 11:15:11 +0200 (CEST)
>
> michel.brabants@euphonynet.be wrote:
> > Hello,
> >
> > thank you for all your previous help, but I have another problem ... I
> > can login a normal user, but I can't get a tgt? for the
> > HTTP-service-pricipal. I followed the tutorial at
> > http://www.grolmsnet.de/kerbtut/ for a windows KDC and mixed the
> > Windows-kpass-command given there with the kpass-command in the README of
> > the Heimdal-package.
> >
> > When I use kinit for the HTTP-service-principal, I get a "client unknown"
> > back. More specifcally, I'm talking about the equivalent of the following
> > line in the tutorial: kinit -k -t
> > /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de. I
> > can get a credential for the HTTP-service after I logged in using my own
> > userid and password. Maybe I need to use NT_HST_?? instead of
> > KRB5_NT_PRINCIPAL?
>
> I think you're mixed up. You don't want to kinit with the HTTP service
> principal. You kinit as you on the client. You put the keytab created
> by ktpass.exe for the HTTP service principal on the web server (the
> HTTP service) and adjust the config accordingly so that is uses it. Now
> when you visit the webpage your web browser will get a ticket for the
> HTTP service principal from the KDC and send it to the web server. The
> web server uses the encryption key in the keytab to decrypt the ticket
> thereby verifying your identity.
>
> Mike