Problems with mod_auth_kerb and Windows 2003 ADS

thilger@gmail.com thilger at gmail.com
Thu Aug 23 16:24:13 EDT 2007


HI List,
I'm having problems with the authentication through mod_auth_kerb.
The used solution had worked forfour months without any problems. Ever
since 16 Aug 2007 that solution hasn't been functional.

Nothing has been changed in our system (Apache 2.0.55  with mod_auth_kerb).
The service provider who administrates the ADS confirmed that there were no
changes made or any patches installed. The same applies to clients who are
administrated by an external service provider; no changes resp. installation
of patches were supposed to be done. However, I cannot confirm the external
service provider's statements.

The following error messages appear in the VHost's apache error log:
--<apache error log>--
[Wed Aug 22 15:17:04 2007] [debug] src/mod_auth_kerb.c(1485): [client
127.0.0.2] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://intern.customer.com/index.html
[Wed Aug 22 15:17:26 2007] [debug] src/mod_auth_kerb.c(1485): [client
127.0.0.2] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://intern.customer.com/index.html
[Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1485): [client
127.0.0.2] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: http://intern.customer.com/index.html
[Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1172): [client
127.0.0.2] Acquiring creds for HTTP at intern.customer.com, referer:
http://intern.customer.com/index.html
[Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1316): [client
127.0.0.2] Verifying client data using KRB5 GSS-API, referer:
http://intern.customer.com/index.html
[Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1332): [client
127.0.0.2] Verification returned code 589824, referer:
http://intern.customer.com/index.html
[Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1359): [client
127.0.0.2] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.,
referer: http://intern.customer.com/index.html
--</apache error log>--


I get the following message when requesting the Kerberos commands:
[root at server1:/opt/krb5/bin]$ ./klist -e -f -a  -nTicket cache:
FILE:/tmp/krb5cc_2022Default principal:
HTTP/intern.customer.com at SITE.ALL.LAN

Valid starting     Expires            Service principal
08/22/07 17:07:36  08/23/07 03:08:07  krbtgt/SITE.ALL.LAN at SITE.ALL.LAN
        renew until 08/23/07 17:07:36, Flags: RIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
        Addresses: (none)

[root at server1:/opt/krb5/bin]# ./kvno HTTP/intern.customer.com at SITE.ALL.LAN
kvno: Server not found in Kerberos database while getting credentials
for HTTP/intern.cutomer.com at SITE.ALL.LAN

After consultation with the service provider, a new keytab file has
already been exported and transfered to the Apache System.

   ktpass -princ HTTP/intern.customer.com
        -mapuser http-intern at SITE.ALL.LAN
        -crypto DES-CBC-MD5
        -ptype KRB_NT_PRINCIPAL
        -mapop set +desonly
        -pass ********
        -out c:\temp\keytab

-rw-r--r--   1 httpd    httpd         77 Aug 23 10:16 intern.keytab

Do you have any advice what else to check or even a solution proposal?

Thanks for your help,

Thorsten



More information about the Kerberos mailing list