Comments on: Kerberos-Based SSO with Apache

By: koenzym

koenzym — Tue, 27 May 2008 14:47:29 +0000

Never mind. Debug mode of logging in Apache solved my question.

By: koenzym

koenzym — Tue, 27 May 2008 14:32:43 +0000

How can I get information about what principal is used by Apache during authentication to AD? Is there any log mechanism? I’ve checked access log and found nothing.

By: n3bul4

n3bul4 — Wed, 12 Mar 2008 13:10:03 +0000

Hello, I have mod_auth_kerb running with my apache.
Everything is ok when I authenticate as a user with
no german Umlauts in the username.
With umlauts in the username it fails everytime.

I found out, that the Authentication is done using ISO-8859-1. UTF-8 would be correct and would also work.
I tested this with the kinit tool.
When I give kinit the username UTF-8 encoded everything is ok……

any suggestions?

regards

Alex

By: Guilherme AraÃºjo

Guilherme AraÃºjo — Thu, 17 Jan 2008 12:26:55 +0000

And another thing, could u give me an example of the ktpass command replacing the variables by their correct value?

Thank u

By: Guilherme AraÃºjo

Guilherme AraÃºjo — Thu, 17 Jan 2008 11:34:29 +0000

Hi there. Thank u for this great article! but i new help. What privileges does the apache server account need in LDAP? could u be specific? thank u

By: Vit

Vit — Tue, 04 Dec 2007 11:49:43 +0000

Great discussion on SetSPN.exe and and ktpass.exe commands including practical examples can be found here:

http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html

Shows in detail what is going on AD side.

By: slowe

slowe — Tue, 09 Oct 2007 19:29:16 +0000

Grzegorz,

I suppose you might be able to do this as long as each area for which authentication was being mandated was being authenticated by only one realm, i.e., URL A is authenticated by realm A, URL B is authenticated by realm B, etc. This is just a guess, though…I haven’t actually tried this.

Good luck, and let us know how things turn out!

By: Grzegorz

Grzegorz — Tue, 09 Oct 2007 17:26:57 +0000

Simple question. Is possible to configure few domainf from the forest to be authorized by one kerberos module? I can confirm that it is possible to configure multiple realms within one module, but it seems it doesnt work with authentications wi tthe second realm (added to configuration)

By: slowe

slowe — Fri, 21 Sep 2007 11:53:45 +0000

PBL,

A couple of quick thoughts:

- If I’m not mistaken, the SPN for Apache is case-sensitive, so make sure your HTTP is in uppercase. The error “No principal in keytab matches desired name” means that somewhere along the way there’s a mismatch between the client, the server, and the KDC.

- Safari supports Kerberos authentication, but it’s most likely falling back to basic (hence the prompt).

- With regards to Samba, you need to make sure you are using a (very) recent build and that you have the “use kerberos keytab = true” in your smb.conf. Otherwise, Samba won’t create the keytab for you.

Good luck!

By: PBL

PBL — Thu, 20 Sep 2007 18:53:04 +0000

Actually, I do have a keytab (generated through the ktpass utility. The keytab is defined in the auth.kerb.conf file for Apache. Doing a strings command on the file shows the proper domain, HTTP, and the FQDN.