Mod_auth_kerb problems with AD

[Martin Goldstone]

Yes, I thought that was probably the case.  From what I've read on various sites, not enough information is provided for the Windows box to use Kerberos, so it falls back on NTLM.

I did a brief experiment with it and set the KrbServiceName as i said in my previous mail.  The first time I loaded it, I got that error message that I mentioned in the log, and a 500 error in the browser, but then I checked kerbtray.exe, and I'd got a ticket for it.  I changed .htaccess back by commenting out the KrbServiceName, and the page worked fine for a while.  Unfortunately, it stopped (it would seem that my ticket cache was emptied according to kerbtray), and even by following exactly the same steps I've been unable to cause this to happen again.  However, it does seem to me like this might be along the right track.  I do think that Windows has no idea what realm to check, thats why it falls back to NTLM.  However, I've been unable to find anything on the net that says anything about doing domain-realm mapping on Windows, or about what the syntax should be for the KrbServiceName directive (if its even possible to do what I want with that directive).  I think I just need some way to force Windows to look at the NULCOLLEGE.AC.UK realm when the domain name is nulc.ac.uk.  Any ideas on whether this is possible?

Martin Goldstone
IT Technician
Newcastle-under-Lyme College
Liverpool Road, Newcastle-under-Lyme
Staffordshire ST5 2DF



-----Original Message-----
From: kerberos-bounces at MIT.EDU on behalf of Richard E. Silverman
Sent: Sat 20/05/2006 02:40
To: kerberos at MIT.EDU
Subject: Re: Mod_auth_kerb problems with AD
 

I think that particular error can appear if the client tries NTLM instead
of Kerberos; some versions of mod_auth_kerb do not recognize this and
choke on it.

-- 
  Richard Silverman
  res at qoxp.net

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos