Problems with mod_auth_kerb and Windows 2003 ADS

thilger@gmail.com thilger at gmail.com
Fri Aug 24 07:53:25 EDT 2007


I don't know if this is helpful but the service provider gave me a
list with the installed patches on the Windows Server:

Q147222

KB890046 - Update

KB893756 - Update

KB896358 - Update

KB896422 - Update

KB896424 - Update

KB896428 - Update

KB898715 - Update

KB899587 - Update

KB899588 - Update

KB899589 - Update

KB899591 - Update

KB900725 - Update

KB901017 - Update

KB901214 - Update

KB902400 - Update

KB904706 - Update

KB905414 - Update

KB908519 - Update

KB908531 - Update

KB910437 - Update

KB911562 - Update

KB911567 - Update

KB911927 - Update

KB912812 - Update

KB912919 - Update

KB913446 - Update



On 8/23/07, thilger at gmail.com <thilger at gmail.com> wrote:
> HI List,
> I'm having problems with the authentication through mod_auth_kerb.
> The used solution had worked forfour months without any problems. Ever
> since 16 Aug 2007 that solution hasn't been functional.
>
> Nothing has been changed in our system (Apache 2.0.55  with mod_auth_kerb).
> The service provider who administrates the ADS confirmed that there were no
> changes made or any patches installed. The same applies to clients who are
> administrated by an external service provider; no changes resp. installation
> of patches were supposed to be done. However, I cannot confirm the external
> service provider's statements.
>
> The following error messages appear in the VHost's apache error log:
> --<apache error log>--
> [Wed Aug 22 15:17:04 2007] [debug] src/mod_auth_kerb.c(1485): [client
> 127.0.0.2] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://intern.customer.com/index.html
> [Wed Aug 22 15:17:26 2007] [debug] src/mod_auth_kerb.c(1485): [client
> 127.0.0.2] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1485): [client
> 127.0.0.2] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos, referer: http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1172): [client
> 127.0.0.2] Acquiring creds for HTTP at intern.customer.com, referer:
> http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1316): [client
> 127.0.0.2] Verifying client data using KRB5 GSS-API, referer:
> http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1332): [client
> 127.0.0.2] Verification returned code 589824, referer:
> http://intern.customer.com/index.html
> [Wed Aug 22 15:17:42 2007] [debug] src/mod_auth_kerb.c(1359): [client
> 127.0.0.2] Warning: received token seems to be NTLM, which isn't
> supported by the Kerberos module. Check your IE configuration.,
> referer: http://intern.customer.com/index.html
> --</apache error log>--
>
>
> I get the following message when requesting the Kerberos commands:
> [root at server1:/opt/krb5/bin]$ ./klist -e -f -a  -nTicket cache:
> FILE:/tmp/krb5cc_2022Default principal:
> HTTP/intern.customer.com at SITE.ALL.LAN
>
> Valid starting     Expires            Service principal
> 08/22/07 17:07:36  08/23/07 03:08:07  krbtgt/SITE.ALL.LAN at SITE.ALL.LAN
>         renew until 08/23/07 17:07:36, Flags: RIA
>         Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>         Addresses: (none)
>
> [root at server1:/opt/krb5/bin]# ./kvno HTTP/intern.customer.com at SITE.ALL.LAN
> kvno: Server not found in Kerberos database while getting credentials
> for HTTP/intern.cutomer.com at SITE.ALL.LAN
>
> After consultation with the service provider, a new keytab file has
> already been exported and transfered to the Apache System.
>
>    ktpass -princ HTTP/intern.customer.com
>         -mapuser http-intern at SITE.ALL.LAN
>         -crypto DES-CBC-MD5
>         -ptype KRB_NT_PRINCIPAL
>         -mapop set +desonly
>         -pass ********
>         -out c:\temp\keytab
>
> -rw-r--r--   1 httpd    httpd         77 Aug 23 10:16 intern.keytab
>
> Do you have any advice what else to check or even a solution proposal?
>
> Thanks for your help,
>
> Thorsten
>



More information about the Kerberos mailing list