Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal ---------------------------------------- > To: squid-users@xxxxxxxxxxxxxxx > From: huaraz@xxxxxxxxxxxxxxxx > Date: Thu, 8 Apr 2010 20:04:30 +0100 > Subject: Re: Creating a kerberos Service Principal. > > BTW You do not need Administrator rights. You can set permission for > different Groups on OUs for example for Unix Kerberos Admins. > > Markus > > "Khaled Blah" wrote in message > news:n2j4a3250ab1004080957id2f4a051xb31445428c62bea0@xxxxxxxxxxxxxxxxx > Hi Bilal, > > 1. ktpass and msktutil practically do the same, they create keytabs > which include the keys that squid will need to decrypt the ticket it > receives from the user. However ktpass only creates a file which you > will then have to securely transfer to your proxy server so that squid > can access it. Using msktutil on your proxy server, you can get the > same keytab without having to transfer it. Thus, msktutil saves you > some time and hassle. AFAIR both need "Administrator" rights, which > means the account used for ktpass/msktutil needs to be a member of the > Administrator group. > > > 2. To answer this question, one would need more information about your > network and your setup. Basically, mixing any other authentication > method with Kerberos is not a good idea. That's because if the other > method is insecure or less secure an attacker who gains access to a > user's credentials will be able to impersonate that user against > Kerberos and those be able to use ALL services that this user has > access to. In any case DO NOT use basic auth with Kerberos in a > public, set-up. That's a recipe for disaster. Digest auth and NTLM > (v2) might be suitable but these are in fact less secure than Kerberos > and thus not preferrable. One down-side to Kerberos is that it's an > "all-or-nothing" service, either you use Kerberos and only Kerberos or > you risk security breaches in any "mixed" situation. > > HTH > > Khaled > > 2010/4/6 GIGO . : >> >> Dear All, >> >> Please guide me in regard to SSO setup with Active Directory(No >> winbind/Samba). I have the following questions in this regard. >> >> >> >> 1. Creating a Kerberos service principal and keytab file that is used by >> the Squid what is the effective method? Difference between using Ktpass vs >> Msktutil package? What rights would i be required in Active Directory and >> if none then why so? >> >> >> >> >> >> >> 2. How to configure the fallback Authentication scheme if Kerberos fails? >> Ldap authentication using basic looks to be an option but isnt it less >> secure? is there a better approach possible. >> >> >> >> >> regards, >> >> Bilal Aslam >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> https://signup.live.com/signup.aspx?id=60969 > > _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
