Seamless/transparent SSO with Apache, Win2003, IE
Fred Dennis
fd_1972tn at yahoo.com
Thu Nov 10 11:41:08 EST 2005
I'm trying to create a seamless sign on to a web site
using Solaris (Kerberos installed), Apache
(mod_auth_kerb installed), MS Active directory, and IE
client.
I can authenticate using and AD user/pass to a website
if the IE option "Enable Integrated Authentication" is
*UN*checked. When going to the url I get a login
prompt and enter the account information, then am
allowed access to the web site.
However, when the option is CHECKED, I am passed
directly to the web site (which is what I want), BUT
get the apache log errors below and a "Page cannot be
displayed" error.
Looking at the packets going to/from web server I can
see some sort of negotiation going on, but also see a
"checksum incorrect" message. The ethereal output is
below.
I would greatly appreciate assistance with this. I've
been trying to find a solution for the past week to no
avail.
Thanks!
============ APACHE ERROR LOG ===============
[Thu Nov 10 08:34:37 2005] [debug]
src/mod_auth_kerb.c(1322): [client 10.76.105.97]
kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Nov 10 08:34:37 2005] [debug]
src/mod_auth_kerb.c(1023): [client 10.76.105.97]
Acquiring creds for
HTTP/curly.corp.inthosts.net at MAX.INTHOSTS.NET
================ PACKET CAPTURE ===============
Frame 7 (2051 bytes on wire, 2051 bytes captured)
Ethernet II, Src: Intel_40:15:ec (00:d0:b7:40:15:ec),
Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Internet Protocol, Src: 10.76.105.97 (10.76.105.97),
Dst: 10.76.65.113 (10.76.65.113)
Transmission Control Protocol, Src Port: 3188 (3188),
Dst Port: http (80), Seq: 315, Ack: 853, Len: 1997
Source port: 3188 (3188)
Destination port: http (80)
Sequence number: 315 (relative sequence number)
Next sequence number: 2312 (relative sequence
number)
Acknowledgement number: 853 (relative ack
number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 64683
*****************************************************
*****************************************************
* CHECKSUM ERROR -- comments added by me
*****************************************************
*****************************************************
Checksum: 0xbf70 [incorrect, should be 0x2f4c]
SEQ/ACK analysis
Hypertext Transfer Protocol
GET /cgi-bin/1/printenv HTTP/1.1\r\n
Request Method: GET
Request URI: /cgi-bin/1/printenv
Request Version: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*\r\n
Accept-Language: en-us\r\n
UA-CPU: x86\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.2; SV1; .NET CLR 1.1.4322)\r\n
Host: curly.corp.inthosts.net\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate
YIIE1QYGKwYBBQUCoIIEyTCCBMWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJsEggSXYIIEkwYJKoZIhvcSAQICAQBuggSCMIIEfqADAgEFoQMCAQ6iBwMFACAAAACjggOmYYIDojCCA56gAwIBBaESGxBNQVguSU5USE9TVFMuTkVUoiowKKADAgECoSEwHx
GSS-API Generic Security Service Application
Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple
Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 3 items
Item: 1.2.840.48018.1.2.2 (MS
KRB5 - Microsoft Kerberos 5)
Item: 1.2.840.113554.1.2.2
(KRB5 - Kerberos 5)
Item: 1.3.6.1.4.1.311.2.2.10
(NTLMSSP - Microsoft NTLM Security Support Provider)
mechToken:
6082049306092A864886F71201020201006E820482308204...
krb5_blob:
6082049306092A864886F71201020201006E820482308204...
KRB5 OID: 1.2.840.113554.1.2.2
(KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ
(0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000
(Mutual required)
.0.. .... .... ....
.... .... .... .... = Use Session Key: Do NOT use the
session key to encrypt the ticket
..1. .... .... ....
.... .... .... .... = Mutual required: MUTUAL
authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm:
MAX.INTHOSTS.NET
Server Name (Service
and Instance): HTTP/curly.corp.inthosts.net
Name-type: Service
and Instance (2)
Name: HTTP
Name:
curly.corp.inthosts.net
enc-part rc4-hmac
Encryption type:
rc4-hmac (23)
Kvno: 2
enc-part:
B03EAB462F73653D61D98C3CA97705CFFD50D177D14021EA...
Authenticator rc4-hmac
Encryption type:
rc4-hmac (23)
Authenticator data:
E3A02A891F9A43AD16797C0D26D395BA356381948B70C925...
\r\n
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
More information about the Kerberos
mailing list