mod_spnego/mod_auth_kerb: GSS-API failure

Walter, Jerome jwalter at ixis-cib.com
Fri Feb 25 12:00:52 EST 2005 

Hi,

We are trying to setup an apache server on Solaris 8 using AD authentication through SPNEGO. For this, we are both trying to use mod_auth_kerb compiled over version 1.3.6 of MIT Kerberos libraries, and mod_spnego compiled over Krb5-1.4.

Both the setup returns a "Decrypt integrity failure".

Having read maximum of documentation we tried to reset the password, reset the account many times with no success, every time with "DES only" option set up.

One of the point we found weird is that when handling the spnego packet and before returning the error, no module connects to the KDC to check anything. Is it that the failure reading the keytab or the transmitted ticket stops the process ?

Using the client tools (kinit, klist, etc) almost everything seems fine. We can connect as the AD user "httpserver" smoothly. On the other side, when trying to use the keytab (kinit -k -t /etc/krb5.keytab HTTP/httpserver.domain.com), it fails returning "Kinit(v5): Key table entry not found while getting initital credentials".
Sniffing the networks shows that the KDC answers a "preauthentication failed" with the following ethereal values:

Type : PA-ENCTYPE-INFO (11)
    Value: xxxxxx rc4-hmac des-cbc-md5 des-cbc-crc
        Encryption type : rc4-hmac
        Salt : <missing>
        Encryption type: des-cbc-md5
        Salt: <yyyy>
        Encryption type : des-cbc-crc
        Salt : <yyy>
 Type : PA-ENC-TIMESTAMP (2)
    Value : missing
Type PA-PK-AS-REP (15)
    Value: missing





Do you have any beginning of a hint on this matter ? I don't understand where the process fails in preauthentication.

TIA for your help

Best regards,


Jérôme Walter 

--------------------------------------------------------

Ce message et toutes les pièces jointes peuvent être confidentiels, et, de plus, peuvent être couverts par un privilège ou une protection légale. Il est établi à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse préalable. Toutes opinions exprimées dans ce message, sont personnelles à leur auteur et ne sauraient nécessairement refléter celle de IXIS CIB / IXIS Corporate & Investment Bank, de ses filiales ou de sa maison mère. Elles sont aussi susceptibles de modification sans notification préalable.  Tous droits réservés. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. Toute communication avec IXIS CIB / IXIS Corporate & Investment Bank peut être contrôlée, enregistrée et conservée. IXIS CIB / IXIS Corporate & Investment Bank décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Les communications sur Internet n'étant pas sécurisées, IXIS CIB / IXIS Corporate & Investment Bank informe qu'il ne peut accepter aucune responsabilité quant au contenu de ce message.

This email and any attachment may be confidential and may also be legally privileged or otherwise protected from disclosure. It is intended only for the stated addressee(s) and access to it by any other person(s) is unauthorised. Any use, dissemination or disclosure not in accordance with its purpose, either in whole or in part, is prohibited without our prior formal approval. Any opinion expressed in this message may be personal to the author and may not necessarily reflect the opinion of IXIS CIB / IXIS Corporate & Investment Bank , its affiliates or parent company. It may also be subject to change without prior notice. Copyright reserved. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this email. If you have received it in error, please inform us immediately and delete all copies.  Any communication made with IXIS CIB / IXIS Corporate & Investment Bank (whether personal or business) may be monitored and a record kept. Neither IXIS CIB nor IXIS Corporate & Investment Bank shall be liable for the message if altered, changed or falsified. As communication on the Internet is not secure, IXIS CIB / IXIS Corporate & Investment Bank does not accept responsibility for the content of this message.
--------------------------------------------------------

More information about the Kerberos mailing list