Comments on: Kerberos-Based SSO with Apache http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 19 Jun 2013 18:05:18 +0000 hourly 1 http://wordpress.org/?v= By: Jayen http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-2/#comment-57559 Jayen Fri, 20 Jul 2012 12:37:33 +0000 http://blog.scottlowe.org/?p=316#comment-57559 Perhaps you can help me. I've set up mod_auth_kerb and some cases work and some don't. The ones that don't only give me the debug message "src/mod_auth_kerb.c(1939): [client x.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos" with nothing else. What works: firefox with a password, git with a kerberos ticket without a reverse proxy. What doesn't work: git with a password, git with a kerberos ticket through a reverse proxy. I would suspect that the reverse proxy might cause the service principal name to change, but that doesn't seem to be the case, as when using firefox with a password with or without a proxy, the logs show the same service principal name. Thanks, Jayen Perhaps you can help me. I’ve set up mod_auth_kerb and some cases work and some don’t. The ones that don’t only give me the debug message “src/mod_auth_kerb.c(1939): [client x.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos” with nothing else.

What works: firefox with a password, git with a kerberos ticket without a reverse proxy. What doesn’t work: git with a password, git with a kerberos ticket through a reverse proxy.

I would suspect that the reverse proxy might cause the service principal name to change, but that doesn’t seem to be the case, as when using firefox with a password with or without a proxy, the logs show the same service principal name.

Thanks,
Jayen

]]> By: Rajsekhar http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-2/#comment-51982 Rajsekhar Fri, 04 Nov 2011 06:25:46 +0000 http://blog.scottlowe.org/?p=316#comment-51982 There is an other error Specified realm 'DOMAIN' not allowed by configuration, referer: http://localhost I need to say one more thing for all the readers . My application is on Linux tikanga box and the ADS is a windows 2003. The ADS server is under DOMAIN1 and the Appserver is on DOMAIN1 & DOMAIN2. i have specified the realm name as DOMAIN1 There is an other error

Specified realm ‘DOMAIN’ not allowed by configuration,
referer: http://localhost

I need to say one more thing for all the readers .
My application is on Linux tikanga box and the ADS is a windows 2003.

The ADS server is under DOMAIN1 and the Appserver is on DOMAIN1 & DOMAIN2.

i have specified the realm name as DOMAIN1

]]> By: slowe http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-2/#comment-51978 slowe Thu, 03 Nov 2011 15:02:23 +0000 http://blog.scottlowe.org/?p=316#comment-51978 Rajsekhar, it sounds like your Kerberos configuration is incorrect and it can't locate a KDC. Assuming that you are using Active Directory, your Kerberos configuration needs to be configured to be able to reach a domain controller. Refer to any one of the number of Linux-AD integration articles I've written for more details. Good luck! Rajsekhar, it sounds like your Kerberos configuration is incorrect and it can’t locate a KDC. Assuming that you are using Active Directory, your Kerberos configuration needs to be configured to be able to reach a domain controller. Refer to any one of the number of Linux-AD integration articles I’ve written for more details.

Good luck!

]]> By: Rajsekhar http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51977 Rajsekhar Thu, 03 Nov 2011 14:30:09 +0000 http://blog.scottlowe.org/?p=316#comment-51977 PLEASE some one Help ................ I'm Getting [Thu Nov 03 19:52:55 2011] [error] [client 121.1.1.1] krb5_get_init_creds_password() failed: Cannot find KDC for requested realm, referer: http://localhost/ please somebody help.... PLEASE some one Help …………….

I’m Getting

[Thu Nov 03 19:52:55 2011] [error] [client 121.1.1.1] krb5_get_init_creds_password() failed: Cannot find KDC for requested realm, referer: http://localhost/

please somebody help….

]]> By: slowe http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51884 slowe Mon, 17 Oct 2011 09:09:20 +0000 http://blog.scottlowe.org/?p=316#comment-51884 Rajsekhar, as I mentioned I haven't worked with this particular subset of knowledge in five years---I really can't help you. Sorry! Rajsekhar, as I mentioned I haven’t worked with this particular subset of knowledge in five years—I really can’t help you. Sorry!

]]> By: Rajsekhar http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51883 Rajsekhar Mon, 17 Oct 2011 06:45:27 +0000 http://blog.scottlowe.org/?p=316#comment-51883 Hi Slowe, Thanks for replying me ... I solved the above problem by adding -m32 tag to the command used for compiling the module. But after fallowing the complete procedure along with http://support.microsoft.com/kb/555092 this article i made all the changes and the ./apachectl -t gave me a Syntax OK message also, I'm not getting a SSO popup or at-least i couldn't login to my application. And i couldn't find any change in the type/mode of login even if i remove the added tags specified above in httpd.conf. Can you help me or atleast assist me how to check what is the minute change in the mode of login after adding the tags? Thanks, Hoping for a +ve response. Rajasekhar. Hi Slowe,

Thanks for replying me …

I solved the above problem by adding -m32 tag to the command used for compiling the module.

But after fallowing the complete procedure along with http://support.microsoft.com/kb/555092 this article i made all the changes and the ./apachectl -t gave me a Syntax OK message also, I’m not getting a SSO popup or at-least i couldn’t login to my application.

And i couldn’t find any change in the type/mode of login even if i remove the added tags specified above in httpd.conf.

Can you help me or atleast assist me how to check what is the minute change in the mode of login after adding the tags?

Thanks,

Hoping for a +ve response.
Rajasekhar.

]]> By: slowe http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51856 slowe Tue, 11 Oct 2011 15:37:52 +0000 http://blog.scottlowe.org/?p=316#comment-51856 Rajsekhar, I haven't touched this stuff in five years. Hopefully another reader will be able to help you out. Rajsekhar, I haven’t touched this stuff in five years. Hopefully another reader will be able to help you out.

]]> By: Rajsekhar http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51854 Rajsekhar Tue, 11 Oct 2011 10:49:54 +0000 http://blog.scottlowe.org/?p=316#comment-51854 The above link directly downloads so this is the link from where i downloaded .... http://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/mod_auth_kerb-5.4/ The above link directly downloads so this is the link from where i downloaded ….

http://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/mod_auth_kerb-5.4/

]]> By: Rajsekhar http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51853 Rajsekhar Tue, 11 Oct 2011 10:46:44 +0000 http://blog.scottlowe.org/?p=316#comment-51853 i have downloaded the file from http://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/mod_auth_kerb-5.4/mod_auth_kerb-5.4.tar.gz/download i also tried with the download from http://modauthkerb.sourceforge.net/ also ... but the error is same as above... please help me .... i have downloaded the file from

http://sourceforge.net/projects/modauthkerb/files/mod_auth_kerb/mod_auth_kerb-5.4/mod_auth_kerb-5.4.tar.gz/download

i also tried with the download from

http://modauthkerb.sourceforge.net/ also … but the error is same as above…

please help me ….

]]> By: Rajsekhar http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/comment-page-1/#comment-51852 Rajsekhar Tue, 11 Oct 2011 10:44:09 +0000 http://blog.scottlowe.org/?p=316#comment-51852 Help Required.... I have fallowed the above procedure, and i'm facing some problems. Actually i'm using a 64-bit Linux machine. so i downloaded and installed the mod_auth_kerb Apache modules and i added the tag in httpd.conf file also .. but when i restart the apache service then i face the error as below ------------------------------------------------------------------------------------------- httpd: Syntax error on line 176 of /opt/IBM/HTTPServer/conf/httpd.conf: Cannot load /opt/IBM/HTTPServer/modules/mod_auth_kerb.so into server: /opt/IBM/HTTPServer/modules/mod_auth_kerb.so: wrong ELF class: ELFCLASS64 ------------------------------------------------------------------------------------------- the system in which i have installed configured and make the mod_auth_kerb is a 64-Bit machine... can you please he me regarding this........ Help Required….

I have fallowed the above procedure, and i’m facing some problems.

Actually i’m using a 64-bit Linux machine.
so i downloaded and installed the mod_auth_kerb Apache modules
and i added the tag in httpd.conf file also ..

but when i restart the apache service then i face the error as below
——————————————————————————————-
httpd: Syntax error on line 176 of /opt/IBM/HTTPServer/conf/httpd.conf: Cannot load /opt/IBM/HTTPServer/modules/mod_auth_kerb.so into server: /opt/IBM/HTTPServer/modules/mod_auth_kerb.so: wrong ELF class: ELFCLASS64
——————————————————————————————-

the system in which i have installed configured and make the mod_auth_kerb is a 64-Bit machine…

can you please he me regarding this……..

]]>