From my browser I want to open the site http://auth.another.com and do authentication with kerberos AuthType: “Negotiate”. I don't want to enter user and password (AuthType: Basic).
If i use http://auth.example.local the same domain (example.local) as active directory the Negotiate authentication work perfectly. If i use another domain not work.
my krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.LOCAL = {
kdc = svr-dc1.example.local
admin_server = svr-dc1.example.local
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL
DNS
auth.another.com
User Windows Active Directory Account
http/auth.another.com@EXAMPLE.LOCAL
i try to add in krb5.conf:
[domain_realm]
.another.com = EXAMPLE.LOCAL
another.com = EXAMPLE.LOCAL
I found the solution. the SPN I had created started with HTTPS/ because I thought using the HTTPS protocol required the SPN to be HTTPS defined, but no, it must remain HTTP.