Re: [squid-users] Creating a kerberos Service Principal. from Khaled Blah on 2010-04-08 (squid-users)

From: Khaled Blah <khaled.blah_at_googlemail.com>
Date: Thu, 8 Apr 2010 18:57:55 +0200

Hi Bilal,

1. ktpass and msktutil practically do the same, they create keytabs
which include the keys that squid will need to decrypt the ticket it
receives from the user. However ktpass only creates a file which you
will then have to securely transfer to your proxy server so that squid
can access it. Using msktutil on your proxy server, you can get the
same keytab without having to transfer it. Thus, msktutil saves you
some time and hassle. AFAIR both need "Administrator" rights, which
means the account used for ktpass/msktutil needs to be a member of the
Administrator group.

2. To answer this question, one would need more information about your
network and your setup. Basically, mixing any other authentication
method with Kerberos is not a good idea. That's because if the other
method is insecure or less secure an attacker who gains access to a
user's credentials will be able to impersonate that user against
Kerberos and those be able to use ALL services that this user has
access to. In any case DO NOT use basic auth with Kerberos in a
public, set-up. That's a recipe for disaster. Digest auth and NTLM
(v2) might be suitable but these are in fact less secure than Kerberos
and thus not preferrable. One down-side to Kerberos is that it's an
"all-or-nothing" service, either you use Kerberos and only Kerberos or
you risk security breaches in any "mixed" situation.

HTH

Khaled

2010/4/6 GIGO . <gigoz_at_msn.com>:
>
> Dear All,
>
> Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard.
>
>
>
> 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so?
>
>
>
>
>
>
> 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible.
>
>
>
>
> regards,
>
> Bilal Aslam
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> https://signup.live.com/signup.aspx?id=60969
Received on Thu Apr 08 2010 - 16:58:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 09 2010 - 12:00:03 MDT