Single sign on between apache2 , kerberos and AD 2003

Discussion in 'Server Operation' started by bdesmet, Jan 3, 2012.

  1. bdesmet

    bdesmet New Member

    I'm trying to get a Single Sign On system working, but I keep on hitting the same error. Here is a part of the logs:

    Code:
     [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
        [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
        [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1277): [client 10.29.0.153] Acquiring creds for HTTP/cognos.predika.be@PREDIKA.BE
        [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1424): [client 10.29.0.153] Verifying client data using KRB5 GSS-API
        [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1440): [client 10.29.0.153] Client didn't delegate us their credential
        [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1468): [client 10.29.0.153] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
        [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1138): [client 10.29.0.153] GSS-API major_status:00090000, minor_status:00000000
        [Tue Dec 27 14:34:23 2011] [error] [client 10.29.0.153] gss_accept_sec_context() failed: Invalid token was supplied (, No error)
    login via basic auth

    Code:
    [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
        [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1025): [client 10.29.0.153] Using HTTP/cognos.predika.be@PREDIKA.BE as server principal for password verification
        [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(714): [client 10.29.0.153] Trying to get TGT for user cognos03@PREDIKA.BE
        [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1110): [client 10.29.0.153] kerb_authenticate_user_krb5pwd ret=0 user=cognos03@PREDIKA.BE authtype=Basic
        [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
        [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1605): [client 10.29.0.153] matched previous auth request
    my krdb5 config file:
    Code:
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = PREDIKA.BE
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
    
    [realms]
     PREDIKA.BE = {
      kdc = PREDIKA.BE
     }
    
    [domain_realm]
     .predika.be = PREDIKA.BE
     predika.be = PREDIKA.BE
    
    [logging]
    	kdc = FILE:/var/log/kerberos/krb5kdc.log
    	admin_server = FILE:/var/log/kerberos/kadmin.log
    	default = FILE:/var/log/kerberos/krb5lib.log
    
    the apache config:
    Code:
    <IfModule mod_auth_kerb.c>
    	    AuthType Kerberos
    	    AuthName "Kerberos Login"
    
                KrbMethodNegotiate    on
                KrbVerifyKDC          off
                KrbSaveCredentials    off
                KrbMethodK5Passwd     on
    
                KrbServiceName        HTTP/cognos.predika.be@PREDIKA.BE
                KrbAuthRealms         PREDIKA.BE
                Krb5Keytab            /etc/krb5.keytab
    	    
                require  valid-user
    	</IfModule>
    I'm totally confused. Maybe someone has seen the problem before, or can see an error in my configuration?
     
    Last edited: Jan 3, 2012

Share This Page