failed to verify krb5 credentials

Silvio Gissi silvio.listas at
Sun Mar 19 11:44:35 EST 2006

Dear Abbas,

> I really need SPNEGO Kerberos authentication with mod_auth_kerb.
> I have followed the excellent tutorial on how to set this at

Very good link, thanks.

> but still, the HTTP header file has
> WWW-Authenticate negotiate
> WWW-Authenticate Basic realm="Kerberos Login"
> and asks the user to enter his username and password.

>From my experience (using IIS/IE only, YMMV) if the server proposes both
Negotiate and Basic, the browser will use Negotiate if possible. If it
can't use Negotiate then the client will fall back to Basic and prompt
for user and password.

> <snip>

> I believe I need to set:
> KrbMethodNegotiate on
> KrbMethodK5Passwd off
> and place my webserver in the intranet zone in IE.

This is correct, as per the link you sent:
"KrbMethodNegotiate controls if your webserver uses SPNEGO Kerberos.
KrbMethodK5Passwd controls if your webserver uses BasicAuth with KDC as

Set KrbMethodK5Passwd to off to avoid being prompted for user and
password. Of course that this will make impossible for users not
authenticated on Kerberos to access the resources.

> Please let me know, so that when i go to work tomorrow i can implement
> these changes. 
> thanks.

Hope that helps.


Silvio Gissi

More information about the Kerberos mailing list