Negotiate on Windows with cross-realm trust AD and MIT Kereros.

Mikkel Kruse Johnsen mikkel at linet.dk
Thu Jul 12 05:19:12 EDT 2007


Hi Everyone

What I want to do is to be able to athenticate (Negotiate) from firefox,
IE7 on Windows and Linux.

What I have is an MS Active Directory 2003 (but running in 2000 mode)
with realm "HHK.DK" then I have a Linux Kerberos server (RHEL5 64bit)
with realm "CBS.DK". I have made a two-way trust between them.
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC).

That seems to work because:

On Linux: (using user in linux kerberos)

---
kinit mkj.lib at CBS.DK
klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at CBS.DK

Valid starting     Expires            Service principal
07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK at CBS.DK
        Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, Triple DES cbc mode with HMAC/sha1 
---

Going to my test server it works, phpinfo() gives me:
---
_SERVER["REMOTE_USER"]mkj.lib at CBS.DK 
_SERVER["AUTH_TYPE"]Negotiate
---
klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at CBS.DK

Valid starting     Expires            Service principal
07/09/07 12:09:43  07/10/07 12:09:43  krbtgt/CBS.DK at CBS.DK
        Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, Triple DES cbc mode with HMAC/sha1 
07/09/07 12:10:40  07/10/07 12:09:43  HTTP/sugi.cbs.dk at CBS.DK
        Flags: FT, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, ArcFour with HMAC/md5 
---

Still on Linux (using user in AD)

---
kinit mkj.lib at HHK.DK
Password for mkj.lib at HHK.DK: 
[mkj at tux ~]$ klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at HHK.DK

Valid starting     Expires            Service principal
07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK at HHK.DK
        renew until 07/10/07 12:12:02, Flags: FRIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
----

Web page says:
----
_SERVER["REMOTE_USER"]mkj.lib at HHK.DK 
_SERVER["AUTH_TYPE"]Negotiate
----
klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at HHK.DK

Valid starting     Expires            Service principal
07/09/07 12:12:02  07/09/07 22:12:08  krbtgt/HHK.DK at HHK.DK
        renew until 07/10/07 12:12:02, Flags: FRIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
07/09/07 12:12:40  07/09/07 22:12:08  krbtgt/CBS.DK at HHK.DK
        renew until 07/10/07 12:12:02, Flags: FRAO
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
RSA-MD5 
07/09/07 12:12:41  07/09/07 22:12:08  HTTP/sugi.cbs.dk at CBS.DK
        renew until 07/09/07 12:12:41, Flags: FRAT
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, ArcFour
with HMAC/md5 
----


Now on Windows joined to HHK.DK and logged in as "mkj.lib"

----
C:\Program Files\Resource Kit>klist tickets

Cached Tickets: (11)

   Server: krbtgt/HHK.DK at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: krbtgt/HHK.DK at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: cifs/etrust.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: cifs/HHK-02 at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: cifs/ITS-AMO.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: cifs/ns1.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: cifs/HHK-02.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: cifs/NS2.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: ldap/NS2.hhk.dk/hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: LDAP/NS2.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55


   Server: host/tuxwin.hhk.dk at HHK.DK
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/9/2007 19:26:55
      Renew Time: 7/16/2007 9:26:55
-----

But entering the the web page:
---
Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.

----
Apache error log:
----
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
130.226.36.172] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
130.226.36.172] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1147): [client
130.226.36.172] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1266): [client
130.226.36.172] Verifying client data using KRB5 GSS-API
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1282): [client
130.226.36.172] Verification returned code 589824
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1309): [client
130.226.36.172] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
[Mon Jul 09 12:16:21 2007] [error] [client 130.226.36.172]
gss_accept_sec_context() failed: Invalid token was supplied (No error)
----

I have followd alle the instructions, "Integrated logon is on", my sites
is in Local Sites and proxy is turned off. The same error is using
firefox, have set the trusted-uri and delegation-uris in about:config to
"cbs.dk,hhk.dk". (did the same under linux and it works).

Any help is appreciated



.htacces:
---
AuthType Kerberos
AuthName "CBS Login"
KrbAuthRealms CBS.DK HHK.DK
KrbServiceName HTTP/sugi.cbs.dk at CBS.DK
Krb5Keytab /etc/httpd/conf/httpd.keytab
KrbSaveCredentials on
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
----
Have tried with out KrbServiceName set and with "KrbServiceName HTTP"
and still no luck.


krb5.conf
----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CBS.DK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
noaddresses = no

[realms]
CBS.DK = {
  kdc = kerberos.cbs.dk:88
  admin_server = kerberos.cbs.dk:749
  default_domain = cbs.dk
}
HHK.DK = {
  kdc = ns1.hhk.dk:88
  admin_server = ns1.hhk.dk:749
  default_domain = hhk.dk
}

[domain_realm]
.cbs.dk = CBS.DK
cbs.dk = CBS.DK
.hhk.dk = HHK.DK
hhk.dk = HHK.DK

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
-

kdc.conf
----
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth

[realms]
CBS.DK = {
  #master_key_type = des3-hmac-sha1
  supported_enctypes = rc4-hmac:normal des3-hmac-sha1:normal
arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
---












Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk



More information about the Kerberos mailing list