Error while authenticating using mod_auth_kerb module

Markus Moeller huaraz at moeller.plus.com
Sat Aug 4 09:35:46 EDT 2007


Andrew,

a couple of questions.

1) Is your client IE or Firefox on Windows XP ?
2) Are you only using AD as kdc ?
3) Can you see on your XP desktop the service ticket with kerbtray ?
4) Can you capture port 88 traffic form your XP desktop with wireshark 
(after a fresh login to your desktop) ?
5) Do you use aliases for your server ?
6) Is the reverse DNS lookup OK ?

The error you see indicates the XP desktop does not find a kerberos service 
ticket and sends therefore a NTLM token.

Markus

"Andrew Ortlieb" <Aortlieb at fimed.com> wrote in message 
news:mailman.15.1186175009.14853.kerberos at mit.edu...
I have been facing this same issue for over a week.  It's been entirely
frustrating.



While watching network traffic I'm seeing that mod_auth_kerb isn't even
attempting to communicate with the domain controller while attempting to
negotiate.



Here is my error.log:



[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1485): [client
192.168.5.171] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1172): [client
192.168.5.171] Acquiring creds for HTTP/site-intra.site.local at SITE.LOCAL

[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1316): [client
192.168.5.171] Verifying client data using KRB5 GSS-API

[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1332): [client
192.168.5.171] Verification returned code 589824

[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1359): [client
192.168.5.171] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.





I have verified the communication with kinit and kvno, and confirmed
that the keytab kvno numbers match.



Any pointers would be greatly appreciated.



-Andy





More information about the Kerberos mailing list