RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory - Problem
Jellbauer Jakob
jakob.jellbauer at interhyp.de
Thu Aug 25 07:43:53 EDT 2005
hello list,
i´ve problems getting this combination , RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory, to work.
my way:
- i´ve created a new user on a 2003 Domaincontroller
- used the (2003) ktpass tool to create the usermapping
- merged it with the existing keytab file with only "DES cbc mode with RSA-MD5" Principals
now i can get a ticket trough:
>kinit -S HTTP/myserver.mydomain-websrvdmz.de
>klist -e
Ticket cache: FILE:/tmp/krb5cc_6024
Default principal: HTTP/myserver.mydomain-websrvdmz.de at INTERHYP.DE
Valid starting Expires Service principal
08/25/05 13:13:46 08/25/05 23:13:50 krbtgt/INTERHYP.DE at INTERHYP.DE
renew until 08/26/05 13:13:46, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
but when i try to make a SSO via Internet Explorer i get this in the apache errorlog:
... gss_accept_sec_context() failed: Miscellaneous failure (Decrypt integrity check failed) ...
... failed to verify krb5 credentials: Decrypt integrity check failed ...
i have purged my tickets already and i dont have any enctypes specified in my krb5.conf
in general , is it possible to get this combination to work?
greetings and thanks
jakob
-
Jakob Jellbauer
Network & System Engineer
Information Technology
Interhyp AG | Parkstadt Schwabing Marcel-Breuer-Str. 18 80807 München
Telefon: 089-76 77 21 47 | Telefax: 089-76 77 251 47 | Mobil: 0151-16 70 19 16
mailto:jakob.jellbauer at interhyp.de | www.interhyp.de
More information about the Kerberos
mailing list