I see what you are saying. I did a couple of tests yesterday. When I was logged on as a user on the nulcollege.ac.uk domain, it worked perfectly. However, when I was logged on as a user from domain.ac.uk, it did not. When there was no mapping on domain.ac.uk for the service principal for the web server (whose default realm is NULCOLLEGE.AC.UK), no ticket showed up on the Windows box. When the mapping was there, the Windows box got a ticket. This is why I got the idea of using two principals. I guessed I wouldn't be able to map the same principal to an account on domain.ac.uk, as (if nothing else) it would foul up the version numbers and keys for the keytab.
It seems like Windows will first look at the domain of the logged on user for the service principal, and from what has been said, the AD controller will issue a Kerberos referral to the correct realm. But this only seems to work for the Windows servers on our network. I've looked through the DNS server to see if there were any clues there about how Windows knows where to refer requests, but I could not see anything. Does any one have any suggestions as to how to get Windows to do the referral in this case, or any other suggestions for getting this to work? Martin Goldstone | IT Technician Newcastle-under-Lyme College, Staffordshire, ST5 2DF 01782 254307 | [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard E. Silverman Sent: 23 May 2006 06:47 To: [email protected] Subject: Re: Problem using KrbServiceName >>>>> "MG" == "Martin Goldstone" <[EMAIL PROTECTED]> writes: Why do you have two different principals for this service? There should be only one, and in fact there *can* be only one, since mod_auth_kerb will only take one as its identity (and report "wrong principal in request" if a client uses the wrong one). As for "hostname cannot be canonicalized," check the version of mod_auth_kerb you're running -- I think using a fully-qualified principal was added later on. MG> Hi, I'm getting further along with my problem, and I think its MG> coming down to the fact that we've got 2 AD domains here. MG> Right now, I'm having problems using the KrbServiceName directive MG> in .htaccess. MG> I've had to get two different principles mapped to user accounts MG> and put in the keytab (one for each AD domain) using ktpass.exe, MG> and now my machine is getting a ticket for the service principle MG> for the webserver (as shown by kerbtray.exe). However, the error MG> log on the webserver is telling me "Wrong principal in request". MG> I've tried adding a KrbServiceName directive, but I consistently MG> get an error message that reads "Hostname cannot be canonicalized" MG> if I include the realm, or "No principal in keytab matches desired MG> name" if I don't. What I suspect I need is MG> HTTP/[EMAIL PROTECTED] (which is the service MG> principle mapped to the user account on the domain.ac.uk AD MG> domain), along with HTTP/[EMAIL PROTECTED] MG> (which is the equivalent on the nulcollege.ac.uk AD domain, and MG> also I believe is the principle that the server is expecting). MG> However, when I enter either the full MG> HTTP/[EMAIL PROTECTED] I get the first error MG> message, and when I enter HTTP/webtest.nulcollege.ac.uk I get the MG> second one. MG> Can someone tell me where I'm going wrong with this directive? MG> Any examples for entries that actually work? Would I be better of MG> just mapping a new service principle such as MG> www/[EMAIL PROTECTED] on the domain.ac.uk AD MG> domain to avoid having two service principles starting with the MG> same string? MG> Thanks in advance for any advice given. MG> Martin Goldstone |Â IT Technician Newcastle-under-Lyme College, MG> Staffordshire, ST5 2DF 01782 254307Â | [EMAIL PROTECTED] MG> ________________________________________________ Kerberos mailing MG> list [email protected] MG> https://mailman.mit.edu/mailman/listinfo/kerberos -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
