Generate KeyTab file and enable Kerberos auth

In order to configure and enable Kerberos authenticator on Squid proxy navigate to Admin UI / Squid Proxy / Auth / Active Directory and click the Kerberos tab.


You will need to provide the following information.

Service Principal Name

The Service Principal Name (SPN) - is the Kerberos principal that will be used by the connecting browsers for authentication. It is usually constructed from the FQDN of the proxy and Kerberos realm automatically. For example, HTTP/proxy.example.lan@EXAMPLE.LAN. Click the wizard button next to the field to try autodetection based on your DNS and DHCP settings.

KeyTab for SPN

Here you must specify the keytab file that contains entries required to do the Kerberos authentication.


Please note, designated squid@example.lan user we created on the previous step, Service Principal Name and KeyTab file are three closely related entities. SPN is mapped to user squid@example.lan. Keytab is generated from both SPN and squid@example.lan user as follows.

  1. Login as Administrator to your Domain Controller
  2. Start the elevated Command Prompt
  3. Change to disk C:
  4. Run the following command
ktpass -princ HTTP/proxy.example.lan@EXAMPLE.LAN -mapuser squid@EXAMPLE.LAN -crypto rc4-hmac-nt -pass Passw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

The command will make C:\krb5.keytab file and the output will look like the following.


Now set Enable Kerberos authenticator checkbox, specify C:\krb5.keytab in the key tab browse button, set the SPN and click Save Changes.

After sucessful upload the application will perform various validation of the keytab, and will try to perform Kerberos authentication to the configured domain controller by running a series of Kerberos commands as indicated on Troubleshooting Squid Active Directory Integration. Output of these commands is shown on the Kerberos configuration page.



Technical information: Admin UI generates correct Kerberos conf file in /opt/websafety/etc/krb5.conf based on the uploaded keytab, SPN and Kerberos realm. This configuration file is later used by the Kerberos authenticator to initialize Kerberos libraries. That is why it is possible to leave the default /etc/krb5.conf empty.

The generated Kerberos configuration file will usually look like:

default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1
default_tkt_enctypes = rc4-hmac des3-hmac-sha1


More technical information: excerpt from microsoft’s documentation for Active Directory … unlike Kerberos principal names, Windows account names are not multipart. Because of this, it is not possible to directly create an account of the name HTTP/proxy.example.lan in the Active Directory. Such a principal instance can be created through the service principal name mappings…


There should be ONLY one user mapped to a given SPN. If you have two or more different Active Directory users mapped to one SPN - Kerberos authentication will ALWAYS FAIL. For more information see blog entry at