kerberos authentication for apache on windows

Julien ALLANOS julien.allanos at aql.fr
Mon Jun 6 03:12:27 EDT 2005 

Selon Frank Balluffi <frank.balluffi at db.com>:

>
> For IE, follow the directions on
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
> (I think someone has already made this point), including shutting down ALL
> instances of IE and restarting IE.
>
> Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
> I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).
>
> I have seen IE send NTLM tokens under the following circumstances:
>
> 1. web server sends IE the following:
>
> HTTP/1.1 401 Authorization Required
> ...
> WWW-Authenticate: NTLM
> ...
>
> 2. IE is NOT configured as above and web server sends IE the following:
>
> HTTP/1.1 401 Authorization Required
> ...
> WWW-Authenticate: Negotiate
> ...
>
> mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
> mod_spnego, read Microsoft's directions very carefully.
>
> Sniff the following traffic:
>
> HTTP between IE and web server (usually port 80)
> Kerberos between IE and KDC (usually port 88)
>
> Frank
>

I am now facing to the following problem: browsers don't send NTLM tokens
anymore but SPNEGO tokens (I believe). I don't really know what I did to make
it work, but heh, it works. That's good. However, I get internal server errors
from the web server. Actually I think mod_spnego couldn't find the 
keytab. So I
copied the keytab file to C:\WINDOWS\krb5kt as stated in mod_spengo's README
file. I am now getting this:

[Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
gss_acquire_cred failed; GSS-API: Miscellaneous failure)
[Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
gss_acquire_cred failed; GSS-API mechanism: No principal in keytab matches
desired name)

> klist -k c:\WINDOWS\krb5kt
Keytab name: FILE:c:\WINDOWS\krb5kt
KVNO Principal
---- 
--------------------------------------------------------------------------
   3 HTTP/adcassard.jas.aql.fr at SRV1.ADCASSARD.JAS.AQL.FR

Any help please? Thanks.
-- 
Julien ALLANOS

More information about the Kerberos mailing list