Re: Logging in service principal

[Michael B Allen <mba2000@ioplex.com>]

On Mon, 22 May 2006 11:15:11 +0200 (CEST)
michel.brabants@euphonynet.be wrote:

> Hello,
> 
> thank you for all your previous help, but I have another problem ... I can
> login a normal user, but I can't get a tgt? for the HTTP-service-pricipal.
> I followed the tutorial at http://www.grolmsnet.de/kerbtut/ for a windows
> KDC and mixed the Windows-kpass-command given there with the kpass-command
> in the README of the Heimdal-package.
> 
> When I use kinit for the HTTP-service-principal, I get a "client unknown"
> back. More specifcally, I'm talking about the equivalent of the following
> line in the tutorial: kinit -k -t
> /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de. I
> can get a credential for the HTTP-service after I logged in using my own
> userid and password. Maybe I need to use NT_HST_?? instead of
> KRB5_NT_PRINCIPAL?

I think you're mixed up. You don't want to kinit with the HTTP service
principal. You kinit as you on the client. You put the keytab created
by ktpass.exe for the HTTP service principal on the web server (the
HTTP service) and adjust the config accordingly so that is uses it. Now
when you visit the webpage your web browser will get a ticket for the
HTTP service principal from the KDC and send it to the web server. The
web server uses the encryption key in the keytab to decrypt the ticket
thereby verifying your identity.

Mike