Fedora2/Apache2 and Key Version Error

[Scott Moseman]

As of right now, this is what our Apache server is saying in the logs...

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/fqdn.domain.com at REALM
Verifying client data using KRB5 GSS-API
Verification returned code 589824
Warning: received token seems to be NTLM, which isn't supported...
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user_krb5pwd ret=0 user=username at REALM authtype=Basic

We are assuming that our browser (IE60) is not sending Apache2 our username
and password credentials via Kerberos.  Is there any way that we could
validate
that Apache2 is properly requesting "WWW-Authentication: Negotiate" from the
web browser?  I did a telnet to port 80 and used "GET /" but that did not
tell me
anything about Negotiate, although I am not sure if I used the right syntax
though.

Thanks,
Scott Moseman



"Scott Moseman" <smoseman at novolink.net> wrote:
>
> Fedora Core 2 running Apache 2.0.50 using mod_auth_kerb-rc6.
> Setup Kerberos and made principals for the system and for Apache.
>
> Login (pam) access using Kerberos is working great.  No problem.
> kinit works and authenticates against the ADS.  No problem there.
>
> When my browser hits the Apache server, I get this error message:
>
> gss_accept_sec_context() failed: Miscellaneous failure
> (Key version number for principal in key table is incorrect)
>
> The website pops up the user/pass prompt (which we want to stop)
> and I am able to login with my ADS credentials okay.  No problem.
>
> Any idea what is causing the above error message in Apache's logs?
> I have a feeling this is what is stopping us from having SSO working.
> (The website is in my Intranet Sites and I do have IWA configured.)
>
> Thanks,
> Scott Moseman
>