Seamless/transparent SSO with Apache, Win2003, IE

Sung Ho Jee jee.sung at ansaldo-signal.com.au
Thu Nov 10 21:08:17 EST 2005 

Did you have the 'Use DES encryption types for this account' option ticked 
for the HTTP service account when generating its keytab file?

Regards,

Sung-ho Jee





Fred Dennis <fd_1972tn at yahoo.com>
Sent by: kerberos-bounces at mit.edu
11/11/2005 12:41 AM

 
        To:     kerberos at mit.edu
        cc: 
        Subject:        Seamless/transparent SSO with Apache, Win2003, IE


I'm trying to create a seamless sign on to a web site
using Solaris (Kerberos installed), Apache
(mod_auth_kerb installed), MS Active directory, and IE
client. 

I can authenticate using and AD user/pass to a website
if the IE option "Enable Integrated Authentication" is
*UN*checked.  When going to the url I get a login
prompt and enter the account information, then am
allowed access to the web site. 

However, when the option is CHECKED, I am passed
directly to the web site (which is what I want), BUT
get the apache log errors below and a "Page cannot be
displayed" error. 

Looking at the packets going to/from web server I can
see some sort of negotiation going on, but also see a
"checksum incorrect" message.  The ethereal output is
below.

I would greatly appreciate assistance with this.  I've
been trying to find a solution for the past week to no
avail.

Thanks!

============ APACHE ERROR LOG ===============
[Thu Nov 10 08:34:37 2005] [debug]
src/mod_auth_kerb.c(1322): [client 10.76.105.97]
kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Nov 10 08:34:37 2005] [debug]
src/mod_auth_kerb.c(1023): [client 10.76.105.97]
Acquiring creds for
HTTP/curly.corp.inthosts.net at MAX.INTHOSTS.NET

================ PACKET CAPTURE ===============
Frame 7 (2051 bytes on wire, 2051 bytes captured)
Ethernet II, Src: Intel_40:15:ec (00:d0:b7:40:15:ec),
Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
Internet Protocol, Src: 10.76.105.97 (10.76.105.97),
Dst: 10.76.65.113 (10.76.65.113)
Transmission Control Protocol, Src Port: 3188 (3188),
Dst Port: http (80), Seq: 315, Ack: 853, Len: 1997
    Source port: 3188 (3188)
    Destination port: http (80)
    Sequence number: 315    (relative sequence number)
    Next sequence number: 2312    (relative sequence
number)
    Acknowledgement number: 853    (relative ack
number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 64683

*****************************************************
*****************************************************
* CHECKSUM ERROR -- comments added by me
*****************************************************
*****************************************************

    Checksum: 0xbf70 [incorrect, should be 0x2f4c]
    SEQ/ACK analysis
Hypertext Transfer Protocol
    GET /cgi-bin/1/printenv HTTP/1.1\r\n
        Request Method: GET
        Request URI: /cgi-bin/1/printenv
        Request Version: HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*\r\n
    Accept-Language: en-us\r\n
    UA-CPU: x86\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.2; SV1; .NET CLR 1.1.4322)\r\n
    Host: curly.corp.inthosts.net\r\n
    Connection: Keep-Alive\r\n
    Authorization: Negotiate
YIIE1QYGKwYBBQUCoIIEyTCCBMWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJsEggSXYIIEkwYJKoZIhvcSAQICAQBuggSCMIIEfqADAgEFoQMCAQ6iBwMFACAAAACjggOmYYIDojCCA56gAwIBBaESGxBNQVguSU5USE9TVFMuTkVUoiowKKADAgECoSEwHx
        GSS-API Generic Security Service Application
Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple
Protected Negotiation)
            SPNEGO
                negTokenInit
                    mechTypes: 3 items
                        Item: 1.2.840.48018.1.2.2 (MS
KRB5 - Microsoft Kerberos 5)
                        Item: 1.2.840.113554.1.2.2
(KRB5 - Kerberos 5)
                        Item: 1.3.6.1.4.1.311.2.2.10
(NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken:
6082049306092A864886F71201020201006E820482308204...
                    krb5_blob:
6082049306092A864886F71201020201006E820482308204...
                        KRB5 OID: 1.2.840.113554.1.2.2
(KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_AP_REQ
(0x0001)
                        Kerberos AP-REQ
                            Pvno: 5
                            MSG Type: AP-REQ (14)
                            Padding: 0
                            APOptions: 20000000
(Mutual required)
                                .0.. .... .... ....
.... .... .... .... = Use Session Key: Do NOT use the
session key to encrypt the ticket
                                ..1. .... .... ....
.... .... .... .... = Mutual required: MUTUAL
authentication is REQUIRED
                            Ticket
                                Tkt-vno: 5
                                Realm:
MAX.INTHOSTS.NET
                                Server Name (Service
and Instance): HTTP/curly.corp.inthosts.net
                                    Name-type: Service
and Instance (2)
                                    Name: HTTP
                                    Name:
curly.corp.inthosts.net
                                enc-part rc4-hmac
                                    Encryption type:
rc4-hmac (23)
                                    Kvno: 2
                                    enc-part:
B03EAB462F73653D61D98C3CA97705CFFD50D177D14021EA...
                            Authenticator rc4-hmac
                                Encryption type:
rc4-hmac (23)
                                Authenticator data:
E3A02A891F9A43AD16797C0D26D395BA356381948B70C925...
    \r\n



 
__________________________________ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list