failed to authenticate using mod_auth_kerb for Apache
Markus Moeller
huaraz at moeller.plus.com
Mon Oct 3 15:04:52 EDT 2005
Can you describe what you have done ? When you always get a NTLM token it
normally means that there is no key for this service in your kdc. Check
that you don't use CNAMEs. Use kerbtray on your Windows machine to see
which tickets are available for IE.
Regards
Markus
"Siarhei Baidun" <siarheibaidun at gmail.com> wrote in message
news:a665a890510030230t7f5f669cg2a80847aa77191e0 at mail.gmail.com...
Hello Everybody,
I'm experiencing a problem that is getting very serious for me since I have
not found any solution for a week.
I have a SuSe 9.0 Enterprise Server installed with Apache 2.0.49.
My goal is to set up kerberos authentication.
I have also installed and configured mod_auth_kerb module for Apache.
Now I'm trying to access protected pages on my server via browser (I tried
IE6, Mozilla 1.7.12 and FireFox 1.5b1)
I'm constantly getting 401 Error - authentication failed!
I haved debugged HTTP calls and have found that browser send NTLMSSP
response instaed of Kerberos one.
As a result Apache writes to errror log the following:
[Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
10.3.103.154 <http://10.3.103.154>] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
10.3.103.154 <http://10.3.103.154>] kerb_authenticate_user entered with user
(NULL) and auth_type Kerberos
[Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1023): [client
10.3.103.154 <http://10.3.103.154>] Acquiring creds for
HTTP/gvepl100.internal.epo.org at INTERNAL.EPO.ORG
[Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1152): [client
10.3.103.154 <http://10.3.103.154>] Verifying client data using KRB5 GSS-API
[Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1168): [client
10.3.103.154 <http://10.3.103.154>] Verification returned code 589824
[Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1194): [client
10.3.103.154 <http://10.3.103.154>] Warning: received token seems to be
NTLM, which isn't supported by the Kerberos module. Check your IE
configuration.
[Mon Oct 03 11:04:04 2005] [error] [client
10.3.103.154<http://10.3.103.154>]
gss_accept_sec_context() failed: A token was invalid (Success)
For already a week I can't find a workaround for the problem or to find at
least the reason of such behaviour.
And this thing does not depend on the browser - IE, Mozilla or Firefox - I'm
getting the same on all of them.
I would be very appreciated if somebody give me a hint what is happening,
why and how to solve the problem.
--
Thanks a lot in advance,
Siarhei Baidun
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list