Mod_auth_kerb problems with AD
Richard E. Silverman
res at qoxp.net
Sat May 20 16:50:39 EDT 2006
>>>>> "MG" == "Martin Goldstone" <martin.goldstone at nulc.ac.uk> writes:
MG> Yes, I thought that was probably the case. From what I've read on
MG> various sites, not enough information is provided for the Windows
MG> box to use Kerberos, so it falls back on NTLM.
MG> I did a brief experiment with it and set the KrbServiceName as i
MG> said in my previous mail. The first time I loaded it, I got that
MG> error message that I mentioned in the log, and a 500 error in the
MG> browser, but then I checked kerbtray.exe, and I'd got a ticket for
MG> it. I changed .htaccess back by commenting out the
MG> KrbServiceName, and the page worked fine for a while.
MG> Unfortunately, it stopped (it would seem that my ticket cache was
MG> emptied according to kerbtray), and even by following exactly the
MG> same steps I've been unable to cause this to happen again.
MG> However, it does seem to me like this might be along the right
MG> track. I do think that Windows has no idea what realm to check,
MG> However, I've been unable to
MG> find anything on the net that says anything about doing
MG> domain-realm mapping on Windows,
As I said, the normal mechanism is Kerberos referrals (which I believe
Microsoft essentially invented).
MG> or about what the syntax should be for the KrbServiceName
MG> directive
The syntax is a Kerberos principal name, which may be abbreviated by
omitting the realm, or realm and instance, which will be filled in with
the default realm and fqdn, respectively.
MG> I need some way to force Windows to look at the NULCOLLEGE.AC.UK
MG> realm when the domain name is nulc.ac.uk. Any ideas on whether
MG> this is possible?
You may be able to do something with netdom /addtln; I'm trying get
Microsoft to explain that now.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list