Auth problems Windows 2003 server & MIT kerberos5 1.3.3

[Daniel Kouril]

Karl Lattimer wrote:
[...]
> But when I try and authenticate with a web browser it doesn't work.
> Producing the error
> 
> krb5_verify_init_creds() failed: Key table entry not found

your keytab must contain a proper key, try using the latest version of 
the module (release a few minutes ago) and enable the debug mode in 
apache. The module will write to the log file which keys it looks for.

> I have found that if i set 
> KrbVerifyKDC Off
> 
> I can authenticate with a password, however the mod_auth_kerb
> documentation states that this is insecure.

Sure, since after verifying the password you must also ensure that the 
KDC isn't being spoofed.

> Also I am always presented with a login box no matter whether or not i
> have KrbMethodNegotiate On or Off

You must have your browser configured properly, see the documentation 
that comes with the module

> I'm new to kerberos, actually new means 9am this morning. All i want is
> for members of my AD to open a web browser and access a database without
> being asked for a password while they are on site, off site they must
> enter the username and password. 
> 
> I created my keytab like this;
> 
> C:\Program Files\Support Tools>ktpass -out httpd.keytab -princ
> HTTP/terrorbite.kent-music.com at KENT-MUSIC.COM -mapuser terrorbite -
> crypto DES-CBC-MD5 -pass hidden
> Targeting domain controller: apollo.kent-music.com
> Successfully mapped HTTP/terrorbite.kent-music.com to terrorbite.
> Key created.
> Output keytab to httpd.keytab:
> Keytab version: 0x502
> keysize 72 HTTP/terrorbite.kent-music.com at KENT-MUSIC.COM ptype 1
> (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8
> (0xc2abb5c2aef8831c)
> Account terrorbite has been set for DES-only encryption.

seems correct. Please try the latest version and check logs. And I'd 
suggest to use the modauthkerb list 
(https://sourceforge.net/mail/?group_id=51775), there are more people 
familiar with the module.

--
Daniel