Apache Authentication Question

jfrankman jfrankman at idfbins.com
Fri Nov 17 12:55:07 EST 2006 

I have set up and Apache web server to secure a directory using Kerberos. I
am finding that if "Integrated Windows Authenticaion" is turned on in
Internet Explorer a user can access the secured directory on the web server.
However, if I turn off the "Windows Integrated Authentication" I get
prompted for a password. This is what I expected to happen, but when I enter
a valid Active directory account and password, I still get Access Denied. My
understanding of Kerberos and IE is that if "Integrated Windows
Authentication" is turned on, the browser will send the IE user's username
and password to AD to get a ticket. Can anyone tell me why I can
authenticate when IE passes my credentials but cannot authenticate when I am
prompted and enter them in manually?

My Apache config, and keytab config can be found below:


<Directory "/srv/www/private">
Order allow,deny
Allow from all

Options Indexes
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms IDFBINS.COM
        Krb5Keytab  /srv/www/apache.keytab
        Require valid-user
</Directory>

[libdefaults]
        default_realm = IDFBINS.COM
        clockskew = 300

[realms]
IDFBINS.COM = {
        kdc = fbms2010.idfbins.com
        default_domain = nexustest.idfbins.com
        admin_server = fbms2010.idfbins.com
[libdefaults]
        default_realm = IDFBINS.COM
        clockskew = 300

[realms]
IDFBINS.COM = {
        kdc = fbms2010.idfbins.com
        default_domain = nexustest.idfbins.com
        admin_server = fbms2010.idfbins.com
}
EXAMPLE.COM = {
        kdc = kerberos.example.com
        admin_server = kerberos.example.com
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .nexustest at idfbins.com = IDFBINS.COM
        .nexustest.idfbins.com = IDFBINS.COM
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        try_first_pass = true
}


-- 
View this message in context: http://www.nabble.com/Apache-Authentication-Question-tf2655798.html#a7407934
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list