Apache Authentication Question
jfrankman
jfrankman at idfbins.com
Fri Nov 17 12:55:07 EST 2006
I have set up and Apache web server to secure a directory using Kerberos. I
am finding that if "Integrated Windows Authenticaion" is turned on in
Internet Explorer a user can access the secured directory on the web server.
However, if I turn off the "Windows Integrated Authentication" I get
prompted for a password. This is what I expected to happen, but when I enter
a valid Active directory account and password, I still get Access Denied. My
understanding of Kerberos and IE is that if "Integrated Windows
Authentication" is turned on, the browser will send the IE user's username
and password to AD to get a ticket. Can anyone tell me why I can
authenticate when IE passes my credentials but cannot authenticate when I am
prompted and enter them in manually?
My Apache config, and keytab config can be found below:
<Directory "/srv/www/private">
Order allow,deny
Allow from all
Options Indexes
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms IDFBINS.COM
Krb5Keytab /srv/www/apache.keytab
Require valid-user
</Directory>
[libdefaults]
default_realm = IDFBINS.COM
clockskew = 300
[realms]
IDFBINS.COM = {
kdc = fbms2010.idfbins.com
default_domain = nexustest.idfbins.com
admin_server = fbms2010.idfbins.com
[libdefaults]
default_realm = IDFBINS.COM
clockskew = 300
[realms]
IDFBINS.COM = {
kdc = fbms2010.idfbins.com
default_domain = nexustest.idfbins.com
admin_server = fbms2010.idfbins.com
}
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.nexustest at idfbins.com = IDFBINS.COM
.nexustest.idfbins.com = IDFBINS.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
--
View this message in context: http://www.nabble.com/Apache-Authentication-Question-tf2655798.html#a7407934
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list