problem obtaining tickets on a webserver
dk
dk at kadenpartner.ch
Sun Feb 4 03:57:50 EST 2007
Hello
I want to build a web based application where a client sends a
request to server 1,
on which a php application resides. This application has to send a
request to
a gateway. The gateway itself then calls the target application on
server 3
which again is protected by kerberos:
Client (fTGT) ---> Server 1 (Apache, mod_auth_kerb) ---> Gateway --->
Server 3 (Apache, mod_auth_kerb)
Everything should work as a single sign on application. The idea is:
The client has a forwardable ticket
granting ticket. This ticket is forwarded to server 1. Server 1 takes
the ticket and integrates it in
a request sent to a Gateway Server. This one (based on perl LWP) uses
the ticket to send another
request to server 3.
So far everything works fine except the ticket transfer from the
client to server 1.
If httpd.conf on server 1 is setup with
KrbMethodK5Passwd on
KrbSaveCredentials on
server 1 receives a ticket granting ticket that can be sent to the
gateway.
The disadvantage is that the user has to enter username and password.
If on server 1 the KrbMethodK5Passwd is set to off, the
authentication on server 1
works too, but server 1 does not save a ticket. The apache error log
simply says:
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client
10.3.188.14] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client
10.3.188.14] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1172): [client
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1316): [client
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1332): [client
10.3.188.14] Verification returned code 0
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client
10.3.188.14] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1172): [client
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1316): [client
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1332): [client
10.3.188.14] Verification returned code 0
To find out a bit more I changed line 1394 in mod_auth_kerb.c from
if (conf->krb_save_credentials && delegated_cred !=
GSS_C_NO_CREDENTIAL)
to
if (conf->krb_save_credentials)
Then the apache error log says:
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client
10.3.188.14] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client
10.3.188.14] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1172): [client
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1316): [client
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1332): [client
10.3.188.14] Verification returned code 0
[Sun Feb 04 08:33:36 2007] [error] [client 10.3.188.14] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (Unknown code ____ 255))
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client
10.3.188.14] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1172): [client
10.3.188.14] Acquiring creds for HTTP at www.dk.ch
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1316): [client
10.3.188.14] Verifying client data using KRB5 GSS-API
[Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1332): [client
10.3.188.14] Verification returned code 0
[Sun Feb 04 08:33:36 2007] [error] [client 10.3.188.14] Cannot store
delegated credential (gss_krb5_copy_ccache: Invalid credential was
supplied (No error))
As it looks like there is a GSS_C_NO_CREDENTIAL flag set to true out
of a reason I don't know.
I tried to find out where this flag comes from and how it could be
set correctly, but I did not succeed.
To exclude that it is a Firefox problem I also used a simple perl
script based on LWP (same result).
In the krb5.conf I tried different defaults, for example:
[libdefaults]
default_realm = DK.CH
forwardable = true
proxiable = true
I also tried "handmade" TGTs (kinit -f ...)
Kerberos version is MIT krb5-1.6
Apache version is 2.2.3
mod_auth_kerb version is 5.3
In order to have a single sign on solution I need a fTGT on server 1.
Is that right? Is it possible at all? If yes, what would I have to
change?
Thanks in advance
Donald Kaden
Kaden & Partner AG
More information about the Kerberos
mailing list