kerberos authentication for apache on windows
Frank Balluffi
frank.balluffi at db.com
Mon Jun 6 08:58:00 EDT 2005
Julien ALLANOS said:
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API: Miscellaneous failure)
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API mechanism: No principal in keytab
matches
> desired name)
>
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
> 3 HTTP/adcassard.jas.aql.fr at SRV1.ADCASSARD.JAS.AQL.FR
Sniff the traffic between the browser and the KDC (usually port 88 of the
KDC) and look at the service name in the HTTP ticket sent from the KDC to
the browser in the TGS-REP, which should equal a name in the keytab.
Also, I remember having difficulties using KRB5_KTNAME on Windows --
either it was not supported on Windows or did not support drive letters
(e.g., C:). There are two notes about KRB5_KTNAME in
mod_spnego/readme.txt.
Frank
More information about the Kerberos
mailing list