Different behaviour of mod_auth_kerb depending on kerberos stack
Russ Allbery
rra at stanford.edu
Tue Oct 19 14:01:36 EDT 2010
Beier Michael <M.Beier at enbw.com> writes:
> Using the MIT implementation, accessing the virtualhost using firefox
> still works, because firefox does a reverse and forward dns-look and
> sends a kerberos ticket for HTTP/hostname.enbw.net, which is found in
> the keytab file. With InternetExplorer mod_auth_kerb declines the access
> to http://virtualhost.enbw.net, because it sends (actually the same)
> kerberos ticket (but) for HTTP/virtualhost.enbw.net, which is not found
> in the keytab file. Apache shows the following error:
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information (, Key table entry not found)
> At the moment I've no really good ides how to solve this - the first
> idea was to create a separate account and keytab for each virtualhost,
> but the different behaviour of firefox and IE seem to make that
> impossible, because one ServicePrincipalName would have to be added to
> multiple accounts, but must be unique in active directory at the same
> time.
> Can anyone provide me some help or idea, how to solve this?
Add keytabs for each virtual host and then use "KrbServiceName Any" in
your Apache configuration.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list