On jeu, 2009-04-23 at 16:16 +0200, Yves-Alexis Perez wrote: > fqdn.example.net has a correct reverse while vhost.example.net doesn't, > but forcing it in the various /etc/hosts involved doesn't work. > > Looking at the logs it seems that firefox and internet explorer don't > even try to start to negociate Kerberos auth from the vhost one. > > I'm wondering if I should use one principal per vhost (which doesn't > scale very well).
I tried to create another user in AD and map the fdqn.example.net to that user, creating another keytab. Then use that second keytab in the vhost protection, and it worked. So kerberos auth works fine, and the config as well. But Having to create an user per service doesn't scale very well (especially if you multiply the vhost number by various criticity dev/qa/test/prod/...) so it'd be nice if I could use only one AD user per server. Having one service principal name per server would be even better, but I guess I could do with one SPN per vhost if I can map all of them to the same AD user. Any idea on how to do that? Cheers, -- Yves-Alexis ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
