kerberos authentication for apache on windows
Julien ALLANOS
julien.allanos at aql.fr
Fri Jun 3 08:06:25 EDT 2005
Selon "Kallapur, Madhusudan V" <madhusudan.v.kallapur at intel.com>:
> looks like your spnego is not requesting Kerberos tokens or windows xp
> client doesn't support Kerberos tokens.
Right. Both browsers (IE and Firefox) send the following Authorization header:
Negotiate BASE64-encoded-NTLM (starts with NTLMSSP...)
> 1. you may want to configure win xp client, I guess you are using IE
> browser, as described in the link below
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
> e/html/http-sso-1.asp
>
Already configured IE to use SPNEGO. NTLM works well (using
mod_auth_sspi on the
Apache web server). For Firefox I've added the hostname of the web server to
both network.negotiate-auth.trusted-uris and
network.automatic-ntlm-auth.trusted-uris. For IE, my server is in the intranet
zone and integrated Windows auth is enabled.
> 2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to
> configure my apache webserver ( running on linux) successfully for
> SPNEGO with Kerberos authentication. you may want to add these lines to
> your conf file
>
> <Location />
> AuthType Kerberos
> KrbMethodNegotiate on
> ------ your rest of the stuff comes here -----
> </Location>
mod_auth_kerb isn't very portable to WIN32, that's why I'm using mod_spnego
(that already has VC++ project files).
>
> 3. Use network protocol analyzer tools (ethereal works for me) to see
> whats going on between KDC, client and server. You may want to run the
> tool on client as it talks to both KDC and server.
>
I've just installed ethereal on the client, but I want to know which
ports do I
have to listen to to get KDC messages (cause a lot of packets are catched up
without using a filter, and filtering on port 80 only isn't sufficient I
believe to see dialogs between client SSPI layer and KDC. Actually, I have the
same box for the client (web browser), the web server and the KDC, maybe the
problem comes from that...
So why my web browsers are sending NTLM tokens in the Authroziation header,
instead of SPNEGO tokens?
Thanks for your help.
--
Julien ALLANOS
More information about the Kerberos
mailing list