Mod_auth_kerb and Windows XP SP2

SriramG sgopalan at etrade.com
Mon Apr 16 18:20:16 EDT 2007 

I opened a support call with Microsoft and got an reply that they don't
support kerberos authentication if the webserver is Apache even the client
is XP-IE. They only support IE-IIS combination.

Going back to NTLM is not an option. 

I can provide ethereal trace if anyone is interested in it.
I followed the exact instructions as mentioned in
http://www.grolmsnet.de/kerbtut/
I guess, being able to do seamless SSO for first 2 days is a proof that the
keytab and the rest of the configuration is correct.

Does anyone has implemented this solution without any issues ?

--Sriram


SriramG wrote:
> 
> All,
> 
> We are using Apache2 with mod_auth_kerb.
> 
> Red Hat Enterprise Linux AS release 3  (2.4.21-40.Elsmp)
> Apache 2.0.49 (fork)
> mod_auth_kerb-5.3
> MIT Kerberos Version 5, Release 1.5.2
> Windows XP sp2 (desktop).
> 
> 
> 1. User logs on to their desktop. 
> 2. I can see TGT using kerbtray.
> 3. Everything works fine for 2 days.
> 4. Right from the 3rd day users starts getting basic auth box when they
> try to access the site.
> 
> Apache logs
> =========
> [Mon Apr 09 10:03:25 2007] [info] Initial (No.1) HTTPS request received
> for child 1 (server lxdm14545.corp.mycompany.com:443)
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1474): [client
> 10.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type
> Kerberos
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1161): [client
> 10.X.X.X] Acquiring creds for HTTP at lxdm14545.corp.mycompany.com
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1305): [client
> 10.X.X.X] Verifying client data using KRB5 GSS-API
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1321): [client
> 10.X.X.X] Verification returned code 589824
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1348): [client
> 10.X.X.X] Warning: received token seems to be NTLM, which isn't
> supported by the Kerberos module. Check your IE configuration.
> [Mon Apr 09 10:03:25 2007] [error] [client 10.X.X.X]
> gss_accept_sec_context() failed: Invalid token was supplied (No error)
> [Mon Apr 09 10:03:25 2007] [info] Connection to child 1 closed with
> unclean shutdown(server lxdm14545.corp.mycompany.com:443, client
> 10.X.X.X)
> 
> On the kerbtray I can see a valid ticket (non-expired).
> If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
> working fine again.
> 
> I used ethereal to see what's happening.
> 
> On successful auth: IE is sending Authorization : Negotiate
> On failure auth:IE is sending Authorization : NTLMSSP (without even try
> using GSSAPI)
> 
> Does anyone know what triggers Windows XP to stop doing kerb auth
> (GSSAPI) and switch to NTLM.
> 
> Its weird that its working fine for couple of days and starts
> mis-behaving this way.
> Once in a while I see this error on Desktop's event viewer. There is no
> pattern in the time interval between the errors.
> 
> The Security System could not establish a secured connection with the
> server
> ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com at corp.mycompany.com.
> No authentication protocol was available.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> 
> I verified that we have reverse DNS look up setup properly. 
> 
> This seems to be a more of an issue on the XP side.
> 
> Any help on this regard will be appreciated
> 
> Thanks
> --Sriram
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10025814
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list