Error while authenticating using mod_auth_kerb module
Markus Moeller
huaraz at moeller.plus.com
Sat Aug 4 09:35:46 EDT 2007
Andrew,
a couple of questions.
1) Is your client IE or Firefox on Windows XP ?
2) Are you only using AD as kdc ?
3) Can you see on your XP desktop the service ticket with kerbtray ?
4) Can you capture port 88 traffic form your XP desktop with wireshark
(after a fresh login to your desktop) ?
5) Do you use aliases for your server ?
6) Is the reverse DNS lookup OK ?
The error you see indicates the XP desktop does not find a kerberos service
ticket and sends therefore a NTLM token.
Markus
"Andrew Ortlieb" <Aortlieb at fimed.com> wrote in message
news:mailman.15.1186175009.14853.kerberos at mit.edu...
I have been facing this same issue for over a week. It's been entirely
frustrating.
While watching network traffic I'm seeing that mod_auth_kerb isn't even
attempting to communicate with the domain controller while attempting to
negotiate.
Here is my error.log:
[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1485): [client
192.168.5.171] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1172): [client
192.168.5.171] Acquiring creds for HTTP/site-intra.site.local at SITE.LOCAL
[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1316): [client
192.168.5.171] Verifying client data using KRB5 GSS-API
[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1332): [client
192.168.5.171] Verification returned code 589824
[Fri Aug 03 14:43:06 2007] [debug] src/mod_auth_kerb.c(1359): [client
192.168.5.171] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
I have verified the communication with kinit and kvno, and confirmed
that the keytab kvno numbers match.
Any pointers would be greatly appreciated.
-Andy
More information about the Kerberos
mailing list