Hi Markus Excuse me for posting in old list, but I have a small question: So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how should I create keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 But there is problem with last one, which server name should I put in -s, -h, --upn and --computer-name? Many Thanks George On 07/02/14 01:26, Markus Moeller wrote: > Hi Joseph, > > it is all possible :-) > > Firstly I suggest not to use samba tools to create the squid keytab, > but use msktutil (see > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). > Then create a keytab for the loadbalancer name ( that is the one > configured in IE or Firefox). use this keytab on both proxy servers > and use negotiate_kerberos_auth with -s GSS_C_NO_NAME > > When you say multiple realms, do you have trust between the AD > domains or are they separate ? If the domains do not have trust do > you intend to use the same loadbalancer name for the users of both > domains ? > > Markus > > > > "Joseph Spadavecchia" wrote in message > news:2B43C569F8254A4E82C948CE4C247ED515891A@xxxxxxxxxxxxx.local... > > Hi there, > > What is the recommended way to configure Kerberos authentication > behind two load balancers? > > AFAIK, based on the mailing lists, I should > > 1) Create a user account KrbUser on the AD server and add an SPN > HTTP/loadbalancer.example.com for the load balancer > 2) Join the domain with Kerberos and kinit > 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser > 4) update squid.conf with an auth helper like negotiate_kerberos_auth > -s HTTP/loadbalancer.example.com@REALM > > Unfortunately, when I try this it fails. > > The only way I could get it to work at all was by removing the SPN > from the KrbUser and associating the SPN with the machine trust > account (of the proxy behind the loadbalancer) However, this is not a > viable solution since there are two machines behind the load balancer > and AD only allows you to associate a SPN with one account. > > Furthermore, given that I needed step (4) above, is it possible to > have load balanced Kerberos authentication working with multiple > realms? If so, then how? > > Many thanks. >
