"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:h7bduh$l5g$1_at_ger.gmane.org...
>I finally could look more into Windows 2008 and I found some unusal
>behaviour. Firstly you need hotfix 951191 and possibly
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
> "KdcUseRequestedEtypesForTickets"=dword:00000001
>
> Secondly it looks like 2008 creates the HTTP principal out of a host
> principal ( see my posts on the MIT Kerberos mailing list). The work
> around I got is:
>
> use msktutil
>
>
> msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k
> /etc/krb5.keytab --computer-name squid-host --upn host/<fqdn> --server
> <domain controller> --verbose --enctypes 28
>
> delete any AD entry for HTTP/<fqdn>
>
> Then use ktutil (for MIT Kerberos)
>
> #ktutil: addent -key -p HTTP/<fqdn>@DOMAIN -k 2 -e
> aes256-cts-hmac-sha1-96
> Key for HTTP/<fqdn>@DOMAIN (hex):
> 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
> ktutil: wkt /etc/krb5.keytab
> ktutil: quit
>
> where the key is the same key as the host key which you can get with
> klist -ekKt /etc/krb5.keytab
>
> klist -ekKt /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (ArcFour with HMAC/md5)
> (0x824b609421c13ca9f6f0faf93163fe7a)
> 2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-128 CTS mode with 96-bit
> SHA-1 HMAC) (0x700fd54f1d4ec2cd379d239f056235b3)
> 2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> (0x3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03)
>
> I would appreciate if someone could confirm/deny this.
>
I found the problem. msktutil has a bug when using a computername with
uppercase letters.
> Regards
> Markus
>
>
Regards
Markus
>
>
Received on Wed Sep 02 2009 - 21:37:16 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 03 2009 - 12:00:02 MDT