Help ON Single SIGN ON W2000kdc -> Apache
Pedro Ferreira
pedro.m.ferreira at gmail.com
Mon Jan 3 11:50:59 EST 2005
Hi ppl
I'm trying to implement a single sign on, between a w2000 machine an a Linux Box
I'm having a bit of a trouble.
REALM = PULSO.PTC
WINDOWS2000 = w2000kdc.pulso.ptc
LINUX = debian.pulso.ptc
the first thing i did was creating an account in the w2000 box with
the name debian
then I issued the commands
ktpass -princ HTTP/debian at PULSO.PTC -mapuser debian -pass debian -out
HTTP.keytab
setspn -A HTTP/debian debian
after that I copied the HTTP.keytab to the LINUXBOX
and then I did
$ cp HTTP.keytab /etc/krb5.keytab
I think this covers the basics for an kerberos based authentication
my /etc/krb5.conf :
[libdefaults]
default_realm = PULSO.PTC
[domain_realm]
debian.pulso.ptc = PULSO.PTC
[realms]
PULSO.PTC = {
kdc = w2000kdc.pulso.ptc
admin_server = w2000kdc.pulso.ptc
}
After editing the /etc/krb5.conf i configured the Apache .
I compiled and inserted the module mod_auth_gss_krb5 into APACHE
And also enabled integrated windows authentication in IE6.0 on the w2000kdc
IN the document root I inserted the following lines
GssKrb5Keytab "/etc/krb5.keytab"
Krb5Keytab "/etc/krb5.keytab"
KrbAuthRealm PULSO.PTC
Krb5SaveCredentials Off
AuthType GSS
GssAuth On
AuthName "KRB5 Realm"
require valid-user
------
when i try to access the webserver via a logged in user in w2000kdc.pulso.ptc
i get the following error in the webserver
==> /var/log/apache/error.log <==
[Mon Jan 3 17:43:14 2005] [notice] [client 144.64.171.96]
gss_acquire_cred() failed: No principal in keytab matches desired
name:
==> /var/log/apache/access.log <==
144.64.171.96 - - [03/Jan/2005:17:43:14 +0000] "GET /~xe HTTP/1.1" 401
472 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
144.64.171.96 - - [03/Jan/2005:17:43:14 +0000] "GET /~xe HTTP/1.1" 500
594 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
------
Thanks
Pedro Miguel Nunes Ferreira
Telf: +351 917427847
More information about the Kerberos
mailing list