I finally could look more into Windows 2008 and I found some unusal
behaviour. Firstly you need hotfix 951191 and possibly
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
"KdcUseRequestedEtypesForTickets"=dword:00000001
Secondly it looks like 2008 creates the HTTP principal out of a host
principal ( see my posts on the MIT Kerberos mailing list). The work around
I got is:
use msktutil
msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k
/etc/krb5.keytab --computer-name squid-host --upn host/<fqdn> --server
<domain controller> --verbose --enctypes 28
delete any AD entry for HTTP/<fqdn>
Then use ktutil (for MIT Kerberos)
#ktutil: addent -key -p HTTP/<fqdn>@DOMAIN -k 2 -e aes256-cts-hmac-sha1-96
Key for HTTP/<fqdn>@DOMAIN (hex):
3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
ktutil: wkt /etc/krb5.keytab
ktutil: quit
where the key is the same key as the host key which you can get with
klist -ekKt /etc/krb5.keytab
klist -ekKt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (ArcFour with HMAC/md5)
(0x824b609421c13ca9f6f0faf93163fe7a)
2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-128 CTS mode with 96-bit
SHA-1 HMAC) (0x700fd54f1d4ec2cd379d239f056235b3)
2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-256 CTS mode with 96-bit
SHA-1 HMAC)
(0x3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03)
I would appreciate if someone could confirm/deny this.
Regards
Markus
