Mod_auth_kerb and Windows XP SP2

Gopalan, Sriram sgopalan at etrade.com
Mon Apr 16 14:02:29 EDT 2007


All,

We are using Apache2 with mod_auth_kerb.

Red Hat Enterprise Linux AS release 3  (2.4.21-40.Elsmp)
Apache 2.0.49 (fork)
mod_auth_kerb-5.3
MIT Kerberos Version 5, Release 1.5.2
Windows XP sp2 (desktop).


1. User logs on to their desktop. 
2. I can see TGT using kerbtray.
3. Everything works fine for 2 days.
4. Right from the 3rd day users starts getting basic auth box when they
try to access the site.

Apache logs
=========
[Mon Apr 09 10:03:25 2007] [info] Initial (No.1) HTTPS request received
for child 1 (server lxdm14545.corp.mycompany.com:443)
[Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1474): [client
10.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1161): [client
10.X.X.X] Acquiring creds for HTTP at lxdm14545.corp.mycompany.com
[Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1305): [client
10.X.X.X] Verifying client data using KRB5 GSS-API
[Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1321): [client
10.X.X.X] Verification returned code 589824
[Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1348): [client
10.X.X.X] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
[Mon Apr 09 10:03:25 2007] [error] [client 10.X.X.X]
gss_accept_sec_context() failed: Invalid token was supplied (No error)
[Mon Apr 09 10:03:25 2007] [info] Connection to child 1 closed with
unclean shutdown(server lxdm14545.corp.mycompany.com:443, client
10.X.X.X)

On the kerbtray I can see a valid ticket (non-expired).
If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
working fine again.

I used ethereal to see what's happening.

On successful auth: IE is sending Authorization : Negotiate
On failure auth:IE is sending Authorization : NTLMSSP (without even try
using GSSAPI)

Does anyone know what triggers Windows XP to stop doing kerb auth
(GSSAPI) and switch to NTLM.

Its weird that its working fine for couple of days and starts
mis-behaving this way.
Once in a while I see this error on Desktop's event viewer. There is no
pattern in the time interval between the errors.

The Security System could not establish a secured connection with the
server
ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com at corp.mycompany.com.
No authentication protocol was available.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I verified that we have reverse DNS look up setup properly. 

This seems to be a more of an issue on the XP side.

Any help on this regard will be appreciated

Thanks
--Sriram




More information about the Kerberos mailing list