kerberos authentication for apache on windows

Julien ALLANOS julien.allanos at aql.fr
Thu Jun 2 09:37:26 EDT 2005 

Selon Jeffrey Altman <jaltman2 at nyc.rr.com>:

> Julien ALLANOS wrote:
>> Hello,
>>
>> I'm new to kerberos, and I want to know if the following configuration is
>> possible:
>>
>> I have an Apache2 web server running on Windows 2003 Server, and I want to
>> authenticate users with kerberos before they can access to the web server
>> content. The kdc service seems to be up and running on the Windows 
>> 2003 server.
>>
>> 1/ how can I check that a client (Windows XP) that has just logged into the
>> domain, has been given a TGT?
>
> If you want a visual indication, you can use:
>
> * the "klist" tool provided by Microsoft with Windows
>
> * the "kerbtray" tool provided by Microsoft in the Resource Kit
>
> * MIT Kerberos for Windows and its Leash Ticket Manager,
>
>> Now I have to "kerberize" the Apache server. I found mod_auth_krb
>> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
>> headers and libs for a Kerberos implementation.
>>
>> 2/ Can I use Windows implementation to compile it? Or do I have to install
>> another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
>> build it?
>
> If you want to build an Apache module that uses the MIT Kerberos APIs,
> you can build the module against the SDK that is installed as a part of
> MIT Kerberos for Windows.
>
> Jeffrey Altman

Thanks.

I have installed kerbtray, and I can see the following tickets for
MY.DOMAIN.COM:

cifs/srv.my.domain.com
krbtgt/MY.DOMAIN.COM (forwarded)
krbtgt/MY.DOMAIN.COM (initial)
ldap/srv.my.domain.com/my.domain.com

So I suppose the krbtgt are the TGT. But why two tickets?

I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5, 
fbopenssl,
openssl and apache2. Then I've created a user in AD, and a 
corresponding keytab
for HTTP/my.domain.com at MY.DOMAIN.COM.

I'm using the following configuration for Apache:

<Location />
   AuthType SPNEGO
   Krb5KeyTabFile conf/rp.HTTP.keytab
   Krb5ServiceName HTTP
   Require valid-user
</Location>

Here is a summary of an access to the web server:

C -> GET / -> S
C <- 401, WWW-Authenticate: Negotiate <- S

C -> GET /, Authorization: Negotiate xxxxx -> S
C <- 401 <- S

Here are the last 3 lines of error.log:

[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego: 
entering
authenticateUser
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
Authorization value is "Negotiate xxxxxx"
[Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego: 
received
type 1 NTLM token

So what's wrong please? I really need to make Kerberos works, not NTLM.

Thanks for any help.
-- 
Julien ALLANOS

More information about the Kerberos mailing list