I forgot this link to an Example configuration: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 2010/4/8 Khaled Blah <khaled.blah@xxxxxxxxxxxxxx>: > Hi Bilal, > > 1. ktpass and msktutil practically do the same, they create keytabs > which include the keys that squid will need to decrypt the ticket it > receives from the user. However ktpass only creates a file which you > will then have to securely transfer to your proxy server so that squid > can access it. Using msktutil on your proxy server, you can get the > same keytab without having to transfer it. Thus, msktutil saves you > some time and hassle. AFAIR both need "Administrator" rights, which > means the account used for ktpass/msktutil needs to be a member of the > Administrator group. > > 2. To answer this question, one would need more information about your > network and your setup. Basically, mixing any other authentication > method with Kerberos is not a good idea. That's because if the other > method is insecure or less secure an attacker who gains access to a > user's credentials will be able to impersonate that user against > Kerberos and those be able to use ALL services that this user has > access to. In any case DO NOT use basic auth with Kerberos in a > public, set-up. That's a recipe for disaster. Digest auth and NTLM > (v2) might be suitable but these are in fact less secure than Kerberos > and thus not preferrable. One down-side to Kerberos is that it's an > "all-or-nothing" service, either you use Kerberos and only Kerberos or > you risk security breaches in any "mixed" situation. > > HTH > > Khaled > > 2010/4/6 GIGO . <gigoz@xxxxxxx>: >> >> Dear All, >> >> Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard. >> >> >> >> 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so? >> >> >> >> >> >> >> 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible. >> >> >> >> >> regards, >> >> Bilal Aslam >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> https://signup.live.com/signup.aspx?id=60969 >
