Seamless/transparent SSO with Apache, Win2003, IE
david.turing
openssl at 21cn.com
Thu Nov 10 21:26:06 EST 2005
yes,checksum problem, I do think there is a compatiblity problem in IE6.
hope this link would help:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
----- Original Message -----
From: "Sung Ho Jee" <jee.sung at ansaldo-signal.com.au>
To: "Fred Dennis" <fd_1972tn at yahoo.com>
Cc: <kerberos at mit.edu>
Sent: Friday, November 11, 2005 10:08 AM
Subject: Re: Seamless/transparent SSO with Apache, Win2003, IE
> Did you have the 'Use DES encryption types for this account' option ticked
> for the HTTP service account when generating its keytab file?
>
> Regards,
>
> Sung-ho Jee
>
>
>
>
>
> Fred Dennis <fd_1972tn at yahoo.com>
> Sent by: kerberos-bounces at mit.edu
> 11/11/2005 12:41 AM
>
>
> To: kerberos at mit.edu
> cc:
> Subject: Seamless/transparent SSO with Apache, Win2003, IE
>
>
> I'm trying to create a seamless sign on to a web site
> using Solaris (Kerberos installed), Apache
> (mod_auth_kerb installed), MS Active directory, and IE
> client.
>
> I can authenticate using and AD user/pass to a website
> if the IE option "Enable Integrated Authentication" is
> *UN*checked. When going to the url I get a login
> prompt and enter the account information, then am
> allowed access to the web site.
>
> However, when the option is CHECKED, I am passed
> directly to the web site (which is what I want), BUT
> get the apache log errors below and a "Page cannot be
> displayed" error.
>
> Looking at the packets going to/from web server I can
> see some sort of negotiation going on, but also see a
> "checksum incorrect" message. The ethereal output is
> below.
>
> I would greatly appreciate assistance with this. I've
> been trying to find a solution for the past week to no
> avail.
>
> Thanks!
>
> ============ APACHE ERROR LOG ===============
> [Thu Nov 10 08:34:37 2005] [debug]
> src/mod_auth_kerb.c(1322): [client 10.76.105.97]
> kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Thu Nov 10 08:34:37 2005] [debug]
> src/mod_auth_kerb.c(1023): [client 10.76.105.97]
> Acquiring creds for
> HTTP/curly.corp.inthosts.net at MAX.INTHOSTS.NET
>
> ================ PACKET CAPTURE ===============
> Frame 7 (2051 bytes on wire, 2051 bytes captured)
> Ethernet II, Src: Intel_40:15:ec (00:d0:b7:40:15:ec),
> Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
> Internet Protocol, Src: 10.76.105.97 (10.76.105.97),
> Dst: 10.76.65.113 (10.76.65.113)
> Transmission Control Protocol, Src Port: 3188 (3188),
> Dst Port: http (80), Seq: 315, Ack: 853, Len: 1997
> Source port: 3188 (3188)
> Destination port: http (80)
> Sequence number: 315 (relative sequence number)
> Next sequence number: 2312 (relative sequence
> number)
> Acknowledgement number: 853 (relative ack
> number)
> Header length: 20 bytes
> Flags: 0x0018 (PSH, ACK)
> Window size: 64683
>
> *****************************************************
> *****************************************************
> * CHECKSUM ERROR -- comments added by me
> *****************************************************
> *****************************************************
>
> Checksum: 0xbf70 [incorrect, should be 0x2f4c]
> SEQ/ACK analysis
> Hypertext Transfer Protocol
> GET /cgi-bin/1/printenv HTTP/1.1\r\n
> Request Method: GET
> Request URI: /cgi-bin/1/printenv
> Request Version: HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg,
> image/pjpeg, */*\r\n
> Accept-Language: en-us\r\n
> UA-CPU: x86\r\n
> Accept-Encoding: gzip, deflate\r\n
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
> Windows NT 5.2; SV1; .NET CLR 1.1.4322)\r\n
> Host: curly.corp.inthosts.net\r\n
> Connection: Keep-Alive\r\n
> Authorization: Negotiate
> YIIE1QYGKwYBBQUCoIIEyTCCBMWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJsEggSXYIIEkwYJKoZIhvcSAQICAQBuggSCMIIEfqADAgEFoQMCAQ6iBwMFACAAAACjggOmYYIDojCCA56gAwIBBaESGxBNQVguSU5USE9TVFMuTkVUoiowKKADAgECoSEwHx
> GSS-API Generic Security Service Application
> Program Interface
> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple
> Protected Negotiation)
> SPNEGO
> negTokenInit
> mechTypes: 3 items
> Item: 1.2.840.48018.1.2.2 (MS
> KRB5 - Microsoft Kerberos 5)
> Item: 1.2.840.113554.1.2.2
> (KRB5 - Kerberos 5)
> Item: 1.3.6.1.4.1.311.2.2.10
> (NTLMSSP - Microsoft NTLM Security Support Provider)
> mechToken:
> 6082049306092A864886F71201020201006E820482308204...
> krb5_blob:
> 6082049306092A864886F71201020201006E820482308204...
> KRB5 OID: 1.2.840.113554.1.2.2
> (KRB5 - Kerberos 5)
> krb5_tok_id: KRB5_AP_REQ
> (0x0001)
> Kerberos AP-REQ
> Pvno: 5
> MSG Type: AP-REQ (14)
> Padding: 0
> APOptions: 20000000
> (Mutual required)
> .0.. .... .... ....
> .... .... .... .... = Use Session Key: Do NOT use the
> session key to encrypt the ticket
> ..1. .... .... ....
> .... .... .... .... = Mutual required: MUTUAL
> authentication is REQUIRED
> Ticket
> Tkt-vno: 5
> Realm:
> MAX.INTHOSTS.NET
> Server Name (Service
> and Instance): HTTP/curly.corp.inthosts.net
> Name-type: Service
> and Instance (2)
> Name: HTTP
> Name:
> curly.corp.inthosts.net
> enc-part rc4-hmac
> Encryption type:
> rc4-hmac (23)
> Kvno: 2
> enc-part:
> B03EAB462F73653D61D98C3CA97705CFFD50D177D14021EA...
> Authenticator rc4-hmac
> Encryption type:
> rc4-hmac (23)
> Authenticator data:
> E3A02A891F9A43AD16797C0D26D395BA356381948B70C925...
> \r\n
>
>
>
>
> __________________________________
> Start your day with Yahoo! - Make it your home page!
> http://www.yahoo.com/r/hs
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list