BTW You do not need Administrator rights. You can set permission for
different Groups on OUs for example for Unix Kerberos Admins.
Markus
"Khaled Blah" <khaled.blah@xxxxxxxxxxxxxx> wrote in message
news:n2j4a3250ab1004080957id2f4a051xb31445428c62bea0@xxxxxxxxxxxxxxxxx
Hi Bilal,
1. ktpass and msktutil practically do the same, they create keytabs
which include the keys that squid will need to decrypt the ticket it
receives from the user. However ktpass only creates a file which you
will then have to securely transfer to your proxy server so that squid
can access it. Using msktutil on your proxy server, you can get the
same keytab without having to transfer it. Thus, msktutil saves you
some time and hassle. AFAIR both need "Administrator" rights, which
means the account used for ktpass/msktutil needs to be a member of the
Administrator group.
2. To answer this question, one would need more information about your
network and your setup. Basically, mixing any other authentication
method with Kerberos is not a good idea. That's because if the other
method is insecure or less secure an attacker who gains access to a
user's credentials will be able to impersonate that user against
Kerberos and those be able to use ALL services that this user has
access to. In any case DO NOT use basic auth with Kerberos in a
public, set-up. That's a recipe for disaster. Digest auth and NTLM
(v2) might be suitable but these are in fact less secure than Kerberos
and thus not preferrable. One down-side to Kerberos is that it's an
"all-or-nothing" service, either you use Kerberos and only Kerberos or
you risk security breaches in any "mixed" situation.
HTH
Khaled
2010/4/6 GIGO . <gigoz@xxxxxxx>:
Dear All,
Please guide me in regard to SSO setup with Active Directory(No
winbind/Samba). I have the following questions in this regard.
1. Creating a Kerberos service principal and keytab file that is used by
the Squid what is the effective method? Difference between using Ktpass vs
Msktutil package? What rights would i be required in Active Directory and
if none then why so?
2. How to configure the fallback Authentication scheme if Kerberos fails?
Ldap authentication using basic looks to be an option but isnt it less
secure? is there a better approach possible.
regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969