kerberos authentication for apache on windows
Kallapur, Madhusudan V
madhusudan.v.kallapur at intel.com
Thu Jun 2 15:22:30 EDT 2005
looks like your spnego is not requesting Kerberos tokens or windows xp
client doesn't support Kerberos tokens.
1. you may want to configure win xp client, I guess you are using IE
browser, as described in the link below
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
e/html/http-sso-1.asp
2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to
configure my apache webserver ( running on linux) successfully for
SPNEGO with Kerberos authentication. you may want to add these lines to
your conf file
<Location />
AuthType Kerberos
KrbMethodNegotiate on
------ your rest of the stuff comes here -----
</Location>
3. Use network protocol analyzer tools (ethereal works for me) to see
whats going on between KDC, client and server. You may want to run the
tool on client as it talks to both KDC and server.
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Julien ALLANOS
Sent: Thursday, June 02, 2005 6:37 AM
To: kerberos at mit.edu
Subject: Re: kerberos authentication for apache on windows
Selon Jeffrey Altman <jaltman2 at nyc.rr.com>:
> Julien ALLANOS wrote:
>> Hello,
>>
>> I'm new to kerberos, and I want to know if the following
configuration is
>> possible:
>>
>> I have an Apache2 web server running on Windows 2003 Server, and I
want to
>> authenticate users with kerberos before they can access to the web
server
>> content. The kdc service seems to be up and running on the Windows
>> 2003 server.
>>
>> 1/ how can I check that a client (Windows XP) that has just logged
into the
>> domain, has been given a TGT?
>
> If you want a visual indication, you can use:
>
> * the "klist" tool provided by Microsoft with Windows
>
> * the "kerbtray" tool provided by Microsoft in the Resource Kit
>
> * MIT Kerberos for Windows and its Leash Ticket Manager,
>
>> Now I have to "kerberize" the Apache server. I found mod_auth_krb
>> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I
need
>> headers and libs for a Kerberos implementation.
>>
>> 2/ Can I use Windows implementation to compile it? Or do I have to
install
>> another Kerberos implementation (such as MIT for Windows 2.6.5) in
order to
>> build it?
>
> If you want to build an Apache module that uses the MIT Kerberos APIs,
> you can build the module against the SDK that is installed as a part
of
> MIT Kerberos for Windows.
>
> Jeffrey Altman
Thanks.
I have installed kerbtray, and I can see the following tickets for
MY.DOMAIN.COM:
cifs/srv.my.domain.com
krbtgt/MY.DOMAIN.COM (forwarded)
krbtgt/MY.DOMAIN.COM (initial)
ldap/srv.my.domain.com/my.domain.com
So I suppose the krbtgt are the TGT. But why two tickets?
I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5,
fbopenssl,
openssl and apache2. Then I've created a user in AD, and a
corresponding keytab
for HTTP/my.domain.com at MY.DOMAIN.COM.
I'm using the following configuration for Apache:
<Location />
AuthType SPNEGO
Krb5KeyTabFile conf/rp.HTTP.keytab
Krb5ServiceName HTTP
Require valid-user
</Location>
Here is a summary of an access to the web server:
C -> GET / -> S
C <- 401, WWW-Authenticate: Negotiate <- S
C -> GET /, Authorization: Negotiate xxxxx -> S
C <- 401 <- S
Here are the last 3 lines of error.log:
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
entering
authenticateUser
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
Authorization value is "Negotiate xxxxxx"
[Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego:
received
type 1 NTLM token
So what's wrong please? I really need to make Kerberos works, not NTLM.
Thanks for any help.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list