Mod_auth_kerb problems with AD

Martin Goldstone martin.goldstone at nulc.ac.uk
Fri May 19 09:43:18 EDT 2006


Hi,

Apologies if this question has been asked before, but I have not been able to find a solution despite scouring the archives and the net in general.

My situation is this:

We have a webserver running Apache 2 on CentOS 4, with the mod_auth_kerb (v 5.0 (rc5 I think)) module installed.  We want to get a single sign on solution working with our Active Directory domains.  The clients will be IE6 on Windows XP.

Now, our situation may be complicated somewhat by the fact that we have 2 separate Active Directory Domains (they are actually in separate forests).  There are cross trust domains which work fine with file shares from Windows servers etc, so hopefully its not complicating it too much.

Our domains are this: nulcollege.ac.uk and domain.ac.uk.  The webserver's fqdn is webtest.nulc.ac.uk (this is because at the end of the day we will need to have Kerberos (single sign on) internally and password based (over SSL) externally, and our domain name is nulc.ac.uk).  I've created a user in the nulcollege domain, and set up the service principle, generated they keytab and checked that the webserver's Kerberos setup and keytab are all OK, which they seem to be.

I set up IE on a test client (added that host to the Intranet Zone, made sure it could use Integrated Windows Authentication etc), but I got no joy.  I checked the logs, and surprise surprise, I got the same error as others seem to get: gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt). (I'd previously set KrbMethodK5Passwd Off so that it would only work with a ticket for the time being).

I deleted and recreated the user and service principle as suggested by various sites but to no avail.  I then tried it with a Fedora 5 client. After setting up Kerberos on there and verifying it by getting a ticket with my AD account details, I tried the test area that I had set up, and it worked perfectly.  Upon checking my ticket cache, I'd got a ticket listed there with the name of the webserver (something that I did not see on Windows when using kerbtray.exe), so everything seems to be fine on the Fedora box.  

This got me thinking: could it be the case that Windows is looking for a realm by the name of NULC.AC.UK, a realm that does not exist, because of the domain name of the webserver?  On the Fedora box, I had already set a domain-realm mapping for it.  The question is, can I do this on a Windows machine? Or could it be that the Windows box needs more information in order to send the ticket?  I've tried setting the KrbServiceName to be the entire service principle (ie HTTP/webtest.nulc.ac.uk at NULCOLLEGE.AC.UK) but to no avail, as I just get an internal server error, and the log just says: gss_import_name() failed: An invalid name was supplied (Hostname cannot be canonicalized).

Of course, I might be going in the complete wrong direction with this, but does anyone have any ideas along these or any other lines?

Cheers,

Martin Goldstone | IT Technician
Newcastle-under-Lyme College, Staffordshire, ST5 2DF
01782 254307 | martin.goldstone at nulc.ac.uk





More information about the Kerberos mailing list