Kerberos-Based SSO with Apache

The key to the magic here is the mod_auth_kerb module, which adds Kerberos authentication to Apache. This module not only allows Apache to use Kerberos on the “back-end,” so to speak, but also supports the SPNEGO and GSS-API stuff on the “front-end” that allow it to transparently authenticate users connecting with supported browsers, without ever prompting for a password.

Preparing Active Directory (Each Apache Server)

These steps need to be repeated for each Apache server that will authenticating via Kerberos to Active Directory.

  1. First, create a user account (not a computer account) for each Apache server. I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server. Since Apache will use the HTTP service principal, a name like HTTP-lnxservername would be good. The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
  2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account. The command will look something like this (substitute the appropriate values where necessary):
     
    ktpass -princ HTTP/fqdn@REALM -mapuser DOMAIN\account
    -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
    -out filename

     
    Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file). I suggest using the server’s name as the filename, i.e., something like “lnxservername.keytab”.

It would be ideal if we could leverage the existing computer account that may exist for that Linux server for host authentication (I’m assuming you followed my instructions for integrating host authentication into Active Directory, yes?), but for some reason it doesn’t work. We can use the SetSPN utility to add the appropriate SPN to the computer account, but authentication still doesn’t work. If any Kerberos/Active Directory gurus out there have some insight on this, please let me know. (By the way, this may be one reason for using user accounts for all the various SPNs—HOST/fqdn@REALM, HTTP/fqdn@REALM, etc.—as some of the online guides for integrating Linux and Active Directory have suggested.)

Now we’re ready to move on to configuring the Apache servers.

Configuring Apache (Each Server)

Repeat these steps for each Apache server. In case I haven’t already mentioned this, I’m assuming you’re running Apache 2.0 on Linux, and not on some flavor of Windows.

  1. Download and install the mod_auth_kerb Apache module.
  2. Add the following directives to the Apache configuration, either in httpd.conf or in the conf.d directory in its own file (my installation of mod_auth_kerb created an auth_kerb.conf in conf.d):
     
    LoadModule auth_kerb_module modules/mod_auth_kerb.so
     
    <Location /secured>
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms EXAMPLE.COM
    Krb5KeyTab /etc/httpd/conf/httpd.keytab
    require valid-user
    </Location>

     
    Substitute the correct values for the KrbAuthRealms directive (your Kerberos realm name will be your Active Directory domain name in UPPERCASE) and the location and name of the keytab. (We’ll copy the keytab over shortly.)
  3. Securely copy over the keytab for this server from the Windows server where it was generated using ktpass.exe earlier. SFTP or SCP are good candidates. Once the file has been copied over, rename it and place it in the right location, as specified in the configuration entered above.
  4. Change the owner of the keytab to the Apache user (typically “apache” or “web”), and set the permissions to 400 (readable only by the Apache user).
  5. Restart the Apache HTTP daemon for the configuration changes to be read and applied.

Assuming that your Apache server is accessible as web.example.com, you should now be able to fire up a recent version of Internet Explorer (one that supports Integrated Windows Authentication) and navigate to the “http://web.example.com/secured” URL and gain access, without getting prompted for authentication. A quick review of the access logs (typically /var/log/httpd/access_log) shows that you are being authenticated as the user that is currently logged on to Windows. (If the browser you are using doesn’t support the transparent authentication, you’ll get prompted for a username and password, in which case you can enter your Active Directory username and password and gain access to the site.)

If this doesn’t work, go back and double-check your ktpass.exe command (noting that the case of the Kerberos principal specified by the “-princ” option is important, as it is case-sensitive). Also check the permissions on the keytab after it has been copied over to the Linux server; it must be readable by the Apache user (and should not be readable by any other users or groups). Finally, try unchecking the “Enable Integrated Windows Authentication” option in Internet Explorer, restarting IE, re-checking that box, and then restarting IE again. (Don’t ask why, but it does seem to help in some instances.)

Finally, note that a few other browsers also support the transparent authentication. I personally tested Safari and Shiira on Mac OS X, and both worked fine (after I had obtained a Kerberos ticket, either using the Kerberos application or kinit from a shell prompt). Camino didn’t work, which is a bummer. I haven’t tested Firefox yet, but I’m told that Firefox also works, although an extension may be required.

Extensive credit goes to Achim Grolms for his walk-through of using mod_auth_kerb with a Windows KDC.

Tags: , , , , , ,

  1. Dean’s avatar

    I have just started to look/learn how to integrate our Linux/Solaris severs into AD and have found your site very useful.

    I came across the below link that explains how to generate keytabs for computer accounts, is this useful?

    http://www.mail-archive.com/[email protected]/msg10373.html

    Also a few questions, your instructions show you using -crypto DES-CBC-MD5 +DesOnly I notice that Samba uses RC4-HMAC for its tickets and I think that most newer Linux distributions support RC4-HMAC, is there any reason not to use it with Apache?

    Finally, The kerberos transparent authentication works great, but I really need to implement authorization via AD so we can limit who access’s what. Is it possible to have user authentication through kerberos and authorization via LDAP in Apache?

  2. slowe’s avatar

    Dean,

    I’m glad you’re finding the site useful.

    With regards to using computer accounts with ktpass.exe, you can certainly do that, and you’ll note that some of my earlier articles regarding Linux-AD integration discussed the use of computer accounts. However, what you need is the ability to different SPNs based on what type of authentication you’re performing. For example, you’ll need the HTTP/fqdn@REALM SPN for Apache SSO, but you’ll need a host/fqdn@REALM for integration via PAM or native Kerberos authentication. Even though Active Directory itself stores multiple SPNs, I have not yet found a way to do the same thing in this situation, so I recommend the use of user accounts (one for each SPN that you need). Hopefully, I’ll find a way to store multiple SPNs and generate keytabs using a single account and can incorporate that information here.

    Also, note that a flaw existed in ktpass.exe in Windows Server 2003 SP1 when generating keytabs for computer accounts that caused TGT validation to fail. I believe that was mentioned in the comments for one of the Linux-AD integration articles.

    My recommendations for the use of DES encryption types was based on prior work and research done, where the Linux-AD integration gurus indicated that DES encryption types were the only types supported. I’ll have to look into that on the AD side and see if that has changed.

    Finally, I don’t think you’ll be able to combine Kerberos authentication and LDAP authorization for Apache. You certainly can for host-based integration, say via PAM, but I would think that because of the way Apache works you won’t be able to combine the two. I most certainly could be wrong, though.

  3. Emmanuel Gomez’s avatar

    Scott,

    I’ve found your various AD/Linux integration articles very informative and interesting, thanks for putting this all together.

    Regarding multiple SPNs/machine account — if you’re not averse to using Samba, you can set ‘use kerberos keytab = yes’ in smb.conf (if you add the directive to smb.conf before adding the machine to the domain, Samba will create an /etc/krb5.keytab with host/ and cifs/ Service Principals set up). Alternatively, you can have Samba create a new /etc/krb5.keytab with ‘net ads keytab create.’ I’m not sure if the Samba box must already be joined to the domain for the keytab creation to work.

    Once a keytab is in place, you can add SPNs to a machine account with ‘net ads keytab add Service1 [Service2 [Service3...]]’ where Service1-ServiceN is/are the service type(s) you want (eg., HTTP, host, cifs, whatever, although if you created the machine account using ‘net ads join’, you will already have host/, cifs/, and smb/ Service Principals in the keytab).

    This info is in the Samba docs, but I’ve read them over a few times, and I just discovered the ‘use kerberos keytab’ directive today. It goes a long way to making Samba useful for managing the integration of other kerberized services on your *nix member server.

    Oh yeah, all those ‘net ads …’ commands probably need to be run as root on your *nix server, and will need the credentials of an AD user with domain admin permissions. Either use -U and provide an admin password for each command (eg, ‘sudo new ads join -U Administrator’), or get a TGT for the admin then use that (eg, ‘sudo kinit Administrator && net ads join’).

    Hopefully that will help someone,
    Emmanuel Gomez

  4. slowe’s avatar

    Emmanuel,

    That is some good information; thanks for sharing it. I am definitely not averse to using Samba and would love to be able to go back to using computer accounts with multiple SPNs, so I’ll have to give this a swing in the lab. I’m interested in the Samba side of things anyway, since I want to be able to show users how to use a Samba server in place of a standard Windows file server, and we’ll need Kerberos integration with Samba in order to do that. Again, thanks for the information!

    Scott

  5. David G’s avatar

    Emmanuel,

    Thanks for the ‘net ads keytab add Service1′ tip – from what I can see, it looks like it does the right things in AD (i.e. it adds HTTP/ into the servicePrincipalName attribute) and seems to update the keytab too.

    What I cant get right (and what Scott has already hinted at) is getting the authentication conversation right – if I try this at a command line on my linux box ‘test’:

    kinit -V -k -S HTTP [email protected]

    I get back the error message ‘Key table entry not found while getting initial credentials’.

    Can anyone confirm whether I’ve got the command right or wrong? If it is right, then I suspect that the Kerberos client libs and the server are disagreeing about some part of the protocol exchange (I can see that the client sends the initial TGT to the server, but that’s all).

    I think I’m gonna pull out the sniffer and pull apart the protocol exchange tomorrow…

    David G

  6. David G’s avatar

    Scott (or anyone else who’s tried this),

    Has anyone tried to check whether Apache tries to do Kerberos authentication for follow-on page requests? Particularly in the instance where you have Basic Auth web clients?

    I only ask this because if Apache does do a Kerberos exchange for every HTTP get/post request, you could pretty quickly hammer both your Apache server and your DC with auth traffic.

    A while back I made this type of mistake using LDAP auth to an AD DC – every get/post resulted in a TCP connect, LDAP bind, LDAP search, LDAP rebind and TCP disconnect – needless to say, performance took a big hit (plus the wire seemed to get a bit warm ;-) . Now I know that Keberos auth is UDP based but you will have a minimum 4 packet exchange over the wire (assuming that you dont have to do DNS lookups, ARP’s, etc)

    Any experiences would be appreciated.

    David G

  7. slowe’s avatar

    David G,

    Although I can’t say this definitely, I don’t think that Apache is going to try Kerberos authentication for follow-on page requests. Once I have a Kerberos ticket, then the Apache server shouldn’t need to go back to the KDC very much, if at all. Once the service ticket has been validated, you should be good to go.

    Again, though, I can’t answer that definitely. I’d have to do a network trace to make sure.

    Regarding the use of the Samba ‘net ads’ tool, I tried using SetSPN.exe, a Microsoft tool that also adds SPNs to objects in Active Directory. I could never make it work for authentication and therefore had to drop back to multiple objects. As I haven’t yet had the chance to try the Samba tools (would love to, just haven’t had time yet), I can’t say how effectively they’ll work or what might be occurring when they don’t work.

    Scott

  8. becks’s avatar

    I have Windows 2003 SP1 Enterprise Edition as domain controllers and an openSUSE 10.2 as web server. To get that stuff working I had to call Microsoft to obtain a fixed ktpass.exe. See http://support.microsoft.com/kb/919557

  9. slowe’s avatar

    Becks,

    Thanks for the article number. I know that the post-SP1 ktpass.exe fix has been mentioned a couple of times here on the site, so it’s pretty important to get that fix if you are going to use ktpass.exe. There is another way, though–check out my article on using Samba for Linux-AD integration:

    http://blog.scottlowe.org/2006/12/19/using-samba-in-linux-ad-integration/

    Thanks,
    Scott

  10. ils’s avatar

    Thank you very much for that very usable article. It helped us to tune our web server accordingly. Althought I have question about AD group membership. Is there any solution how to integrate authorization basing on AD group membership after user itself has been aithenticated aginst AD via kerberos. Thank you very much. -Ils

  11. slowe’s avatar

    There is probably a way to incorporate group membership for authorization in Apache, but the exact method to do that is escaping me at the moment. Let me do some research and then perhaps I can post more information here.

    Thanks,
    Scott

  12. Ils’s avatar

    Thank you, Scott, for your willing to do some research. I will wait for your results. BTW: I also made some carefull research of this and I found that the following goals should be achieved:

    1. Initial SSO authentication with kerberos – provided by mod_auth_kerb.
    2. Secondary SSO authorization via group membership – partly provided by different kind of ..ldap.. or ..samba.. auth modules.

    Althougth the following problems are still not addressed (at least according to my reasearch)

    1. ldap or samba auths are not SSO capable so there is always prompt for username and password.
    2. there is no clear standard solution to make make double auth in apache

    So I would think that here we have the following solutions how to address problems explained above:

    1. Use mod_auth_kerb for initial authentication and then use php scripts for further detailed authorization.
    2. Use mod_auth_kerb along with “require group ” and “AuthGroupFile ” directives and have synchronized with ldap or Active Directory on regular basis.

    And my final question: Is there solution to tune Apache to have double auths: initial via kerberos and secondary via ldap group or samba group both with SSO? This would be best complete solution for intranet!

    Thanks,
    Ils

  13. Ils’s avatar

    Hello!
    Answering on my own question after additional research I may say that the following projects may address the needs mentioned above. Those projects support kerberos authentication and consequent ldap authorization providing more or less complete SSO solution.

    webauth.stanford.edu
    http://www.pubcookies.org

    Thanks,
    Ils

  14. hjochums’s avatar

    Hi

    Does mod_auth_kerb support multi-FQDN on the same host?

    I am having big problems getting it to work..:/

    Seems like it cant figure out the keys if the AD have more than one domain..

  15. slowe’s avatar

    I don’t know for certain about multi-FQDN setups, but I would suspect that it won’t work. Has to do with keytabs, hostnames, and the like.

    If anyone has any other information, please post.

    Thanks,
    Scott

  16. Vidya’s avatar

    Scott,

    Thanks a lot for posting this article. It was very useful. I have a problem which i hope you can solve. I currently have Apache 2.2.4 with mod_auth_kerb 5.3 running on Linux setup to authenticate against windows 2000 as KDC. I also configured IE to support SPNEGO so that i can do transparent authentication. Everything works fine but occasionally it falls back to Basic Authentication. Once it falls back to Basic i need to log off and log on for transparent authentication to work. Is there some way i can get around this problem like some setting which makes the ticket never to expire ?

    Thanks
    Vidya

  17. Michael Robertshaw’s avatar

    I’ve cracked the problem of why noone is successful at using a Computer Account in AD for the SPNs. The reason is that the KVNO on the Account is incremented for each invocation of KTPASS. Consequently those tickets that have been extracted before are now invalid. The solution is to anticipate the final KVNO when adding/extracting many SPNs and use the “-kvno” parameter to KTPASS to control what the KVNO of each extracted ticket will be!

    The batch file I’ve developed below works a treat!!

    @setlocal
    @rem ————————————————————
    @rem Record Service Principal Names for Computer %HOSTNAME%
    @rem with AD Account %HOSTNAME%$.
    @rem
    @rem If the current KVNO is 8 and you are recording 5 SPNs
    @rem then you should set KVNO=13 so that all keytabs have
    @rem the same version as the finally added SPN.
    @rem ————————————————————
    @set KVNO=49
    @set HOSTNAME=ssydcrux
    @set FQDN=ent.ad.cognos.com
    @set REALM=CS.SB.COGNOS.COM
    @set KDC=sottcsdc1.cs.sb.cognos.com

    @rem Delete any existing KeyTab files before we regenerate them
    @del %HOSTNAME%_*.keytab 2>NUL

    @rem Create the inital host SPN and record as userPrincipalName too.
    @set service=host
    @call :AddSPN %service% -mapop set +setupn

    @rem Create additional servicePrincipalNames
    @for %%s in (ftp cifs ldap HTTP) do @call :AddSPN %%s -mapop add -setupn

    @goto END

    :AddSPN
    @set SERVICE=%1
    @echo ———- %service%/%HOSTNAME%.%FQDN%@%REALM% ———–
    ktpass -out %HOSTNAME%_%SERVICE%.keytab -princ %SERVICE%/%HOSTNAME%.%FQDN%@%REALM% +rndpass -mapuser %HOSTNAME%$ +DesOnly -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -kvno %KVNO% +Answer -target %KDC% %2 %3 %4 %5 %6 %7 %8 %9
    @echo.
    @goto :EOF

    :END
    @dir %HOSTNAME%_*.keytab
    @endlocal

  18. Henning’s avatar

    Hi Scott!

    I really appreciate all the work you did to put up all the info about Linux, Kereberos and AD! So now I got my Apache-AD-SSO-Integration up and running within my LAN.

    But the next step would be, to make one of my sites hosted on my Apache available to the world. So I created a dyndns-Account and configured my firewall … a voila I can access my website. But of course I would like to autheticated users using the AD-credentials, but how would I setup a scenario like this?

    I already tryed adding a new account to ad “HTTP-myhost.dyndns.org” and added the keytab to Apache. But looking at the logfile I get something like “Acquiring creds for HTTP/[email protected]” … hmm, what to do next?

  19. slowe’s avatar

    Henning,

    It’s possible that you might be able to manipulate the domain-realm mapping on the Linux server to say that the dyndns.org DNS domain maps to your AD domain (which is a Kerberos realm). I can’t guarantee you that will work, though. Review the krb5.conf file and have a look at the [domain_realm] section.

    Failing that, I don’t think there’s any way you’ll be able to make it work. You would need access to the KDC for dyndns.org (assuming there is one), which is highly unlikely to happen.

    Good luck!

  20. Henning’s avatar

    Well, I did change my krb5.conf, and at least this seems to work … kinda. But when I’m asked to enter my credentials in the browser, I don’t get logged on …

    — cut — cut — cut —
    [...]

    [Fri Aug 03 09:10:56 2007] [debug] src/mod_auth_kerb.c(1322): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Fri Aug 03 09:10:56 2007] [error] [client 168.224.32.15] specifying realm in user name is prohibited
    [Fri Aug 03 09:10:56 2007] [debug] src/mod_auth_kerb.c(879): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(null)
    [Fri Aug 03 09:10:56 2007] [info] Connection to child 5 closed with unclean shutdown(server server.outside.domain:443, client xxx.xxx.xxx.xxx)

    [...]

    [Fri Aug 03 09:11:40 2007] [debug] src/mod_auth_kerb.c(1322): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Fri Aug 03 09:11:40 2007] [error] [client xxx.xxx.xxx.xxx] failed to verify krb5 credentials: Key table entry not found
    [Fri Aug 03 09:11:40 2007] [debug] src/mod_auth_kerb.c(879): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(null)
    [Fri Aug 03 09:11:40 2007] [info] Connection to child 6 closed with unclean shutdown(server server.outside.domaing:443, client xxx.xxx.xxx.xxx)
    — cut — cut — cut —

  21. slowe’s avatar

    Henning,

    You’re still getting a “Key table entry not found,” which means the server is trying to look up a keytab entry that doesn’t exist. This tells me that it’s still trying to use some combination of domain names and realms that you haven’t yet addressed. You’ll want to make sure that you have matching keytab entries on the Linux server as well as in Active Directory as well.

    Good luck!

  22. Henning’s avatar

    well, there is something else going wrong. I traced some stuff and I figured: since I’m accessing my website from the “outside” (which is some random computer connected to the internet), this computer has no kerberos ticket. Alternatively IE sends some NTLM-challange and then a Basic-Authentication to authenticate the user. Unfortunatly apache doesn’t know how to handle either of them … well, where to go from here?

  23. slowe’s avatar

    Henning,

    Yes, you’re exactly right. Without a Kerberos ticket, the external client just won’t be able to authenticate. And, even if you did have a Kerberos ticket, then you’ve still got to reconcile the realm name for Kerberos and the external DNS domain name that you are using, so that Kerberos clients (and servers) can properly map realms to domains and vice versa.

    I don’t think there’s anything else you can do, except perhaps try some other form of authentication (like perhaps client-side certificates or something?).

    Good luck!

  24. Henning’s avatar

    Hmm, ok, so I need to rethink my authentication – I kinda figured that already. So what other options to I have to authenticate users at my apache (running on linux) against active directory? NTLM? LDAP?

    Do you know any alternative? Did you try anything yet?

  25. slowe’s avatar

    LDAP from Apache to Active Directory should work fine.

  26. Henning’s avatar

    yep, that did the job! Thanx!

  27. PBL’s avatar

    Great information here, thanks to everyone for sharing. Unfortunately its not working for me.

    I keep getting the error ‘gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name’ in the logs when using IE7, with a 500 message showing in the browser window. When using Firefox or Safari, I’m prompted for credentials, which work if input appropriately. This tells me that kerberos is resolving the names (kinit works fine too at the shell), correct?

    I checked the nslookup on the Apache server on the server and on a windows machine. Both return the same name used in -princ, in addition to the alias which is used to shorten the name for browser clients.

    If I use the samba method explained elsewhere, the net ads join does not create the krb5.keytab file that everyone else says it should. We’re well versed in Samba/AD authentication, using it for file services everyday for more than a year.

    Anyone have suggestions? Two days with this and I’m getting so close…

  28. Henning’s avatar

    well, if you get “No principal in keytab matches desired name” and you’re missing the krb5.keytab file … there you go! That’s excatly the problem. You need to have a keytab-file in order to do kerberos authentication with apache.

    Kinit doesn#t need this keytab, and firefox AFAIK cannot send your keberos ticket, so it’s using basic authentication, and that doesn’t seem to need the keytab either.

  29. PBL’s avatar

    Actually, I do have a keytab (generated through the ktpass utility. The keytab is defined in the auth.kerb.conf file for Apache. Doing a strings command on the file shows the proper domain, HTTP, and the FQDN.

  30. slowe’s avatar

    PBL,

    A couple of quick thoughts:

    - If I’m not mistaken, the SPN for Apache is case-sensitive, so make sure your HTTP is in uppercase. The error “No principal in keytab matches desired name” means that somewhere along the way there’s a mismatch between the client, the server, and the KDC.

    - Safari supports Kerberos authentication, but it’s most likely falling back to basic (hence the prompt).

    - With regards to Samba, you need to make sure you are using a (very) recent build and that you have the “use kerberos keytab = true” in your smb.conf. Otherwise, Samba won’t create the keytab for you.

    Good luck!

  31. Grzegorz’s avatar

    Simple question. Is possible to configure few domainf from the forest to be authorized by one kerberos module? I can confirm that it is possible to configure multiple realms within one module, but it seems it doesnt work with authentications wi tthe second realm (added to configuration)

  32. slowe’s avatar

    Grzegorz,

    I suppose you might be able to do this as long as each area for which authentication was being mandated was being authenticated by only one realm, i.e., URL A is authenticated by realm A, URL B is authenticated by realm B, etc. This is just a guess, though…I haven’t actually tried this.

    Good luck, and let us know how things turn out!

  33. Vit’s avatar

    Great discussion on SetSPN.exe and and ktpass.exe commands including practical examples can be found here:

    http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html

    Shows in detail what is going on AD side.

  34. Guilherme Araújo’s avatar

    Hi there. Thank u for this great article! but i new help. What privileges does the apache server account need in LDAP? could u be specific? thank u

  35. Guilherme Araújo’s avatar

    And another thing, could u give me an example of the ktpass command replacing the variables by their correct value?

    Thank u

  36. n3bul4’s avatar

    Hello, I have mod_auth_kerb running with my apache.
    Everything is ok when I authenticate as a user with
    no german Umlauts in the username.
    With umlauts in the username it fails everytime.

    I found out, that the Authentication is done using ISO-8859-1. UTF-8 would be correct and would also work.
    I tested this with the kinit tool.
    When I give kinit the username UTF-8 encoded everything is ok……

    any suggestions?

    regards

    Alex

  37. koenzym’s avatar

    How can I get information about what principal is used by Apache during authentication to AD? Is there any log mechanism? I’ve checked access log and found nothing.

  38. koenzym’s avatar

    Never mind. Debug mode of logging in Apache solved my question. :-)

  39. Brian’s avatar

    I belive computer accounts have the AD attribute ms-DS-Allowed-To-Delegate-To set to false whereas users have it tue. That is why you cannot use them as service accounts.

  40. shah’s avatar

    I’ve a windows domain controller, and a linux(centos) machine, where i setup kerebros, and mod_auth_kerb. keytab file generated @ windows using ktpass, now on my linux machine, kinit, klist etc are working fine.
    but when i tried to access from IE (on a windows machine) , i found an internal server error (500) and when i checked apache logs, i found gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information( Unsupported key table format version number).
    can anybody like telling me whats wrong here?

  41. TomEeK’s avatar

    I have sem problem with gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Unsupported key table format version number). Did anybody found solution?

    thank you

  42. Chris Cowley’s avatar

    Thanks Scott, this and its related articles have been pretty useful to me (I also appreciate that there is other Christians writing about these things).

    Do you (or anyone here) no of anyway to modify the principle that gets written to Apache’s REMOTE_USER variable. I want to strip off the realm so that I just have the user sAMAccountName. I have quite a few applications using kerberos, so patching all of them to break apart the variable will be a bit of a hassle.

  43. Pat Gonzalez’s avatar

    Here’s another open source library, http://spnego.sourceforge.net, that has examples on how to setup your environment to Kerberos/SPNEGO authentication.

    Take a look at the the http://spnego.sourceforge.net/pre_flight.html documentation

    and the example on how to install on Tomcat.

    http://spnego.sourceforge.net/spnego_tomcat.html

  44. Rajsekhar’s avatar

    Help Required….

    I have fallowed the above procedure, and i’m facing some problems.

    Actually i’m using a 64-bit Linux machine.
    so i downloaded and installed the mod_auth_kerb Apache modules
    and i added the tag in httpd.conf file also ..

    but when i restart the apache service then i face the error as below
    ——————————————————————————————-
    httpd: Syntax error on line 176 of /opt/IBM/HTTPServer/conf/httpd.conf: Cannot load /opt/IBM/HTTPServer/modules/mod_auth_kerb.so into server: /opt/IBM/HTTPServer/modules/mod_auth_kerb.so: wrong ELF class: ELFCLASS64
    ——————————————————————————————-

    the system in which i have installed configured and make the mod_auth_kerb is a 64-Bit machine…

    can you please he me regarding this……..

  45. Rajsekhar’s avatar

    i have downloaded the file from

    http://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/mod_auth_kerb-5.4/mod_auth_kerb-5.4.tar.gz/download

    i also tried with the download from

    http://modauthkerb.sourceforge.net/ also … but the error is same as above…

    please help me ….

  46. Rajsekhar’s avatar

    The above link directly downloads so this is the link from where i downloaded ….

    http://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/mod_auth_kerb-5.4/

  47. slowe’s avatar

    Rajsekhar, I haven’t touched this stuff in five years. Hopefully another reader will be able to help you out.

  48. Rajsekhar’s avatar

    Hi Slowe,

    Thanks for replying me …

    I solved the above problem by adding -m32 tag to the command used for compiling the module.

    But after fallowing the complete procedure along with http://support.microsoft.com/kb/555092 this article i made all the changes and the ./apachectl -t gave me a Syntax OK message also, I’m not getting a SSO popup or at-least i couldn’t login to my application.

    And i couldn’t find any change in the type/mode of login even if i remove the added tags specified above in httpd.conf.

    Can you help me or atleast assist me how to check what is the minute change in the mode of login after adding the tags?

    Thanks,

    Hoping for a +ve response.
    Rajasekhar.

  49. slowe’s avatar

    Rajsekhar, as I mentioned I haven’t worked with this particular subset of knowledge in five years—I really can’t help you. Sorry!

  50. Rajsekhar’s avatar

    PLEASE some one Help …………….

    I’m Getting

    [Thu Nov 03 19:52:55 2011] [error] [client 121.1.1.1] krb5_get_init_creds_password() failed: Cannot find KDC for requested realm, referer: http://localhost/

    please somebody help….

1 · 2 ·