Negotiate on Windows with cross-realm trust AD and MIT Kereros.
Mikkel Kruse Johnsen
mikkel at linet.dk
Thu Jul 12 05:19:12 EDT 2007
Hi Everyone
What I want to do is to be able to athenticate (Negotiate) from firefox,
IE7 on Windows and Linux.
What I have is an MS Active Directory 2003 (but running in 2000 mode)
with realm "HHK.DK" then I have a Linux Kerberos server (RHEL5 64bit)
with realm "CBS.DK". I have made a two-way trust between them.
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC).
That seems to work because:
On Linux: (using user in linux kerberos)
---
kinit mkj.lib at CBS.DK
klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at CBS.DK
Valid starting Expires Service principal
07/09/07 12:09:43 07/10/07 12:09:43 krbtgt/CBS.DK at CBS.DK
Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, Triple DES cbc mode with HMAC/sha1
---
Going to my test server it works, phpinfo() gives me:
---
_SERVER["REMOTE_USER"]mkj.lib at CBS.DK
_SERVER["AUTH_TYPE"]Negotiate
---
klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at CBS.DK
Valid starting Expires Service principal
07/09/07 12:09:43 07/10/07 12:09:43 krbtgt/CBS.DK at CBS.DK
Flags: FI, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, Triple DES cbc mode with HMAC/sha1
07/09/07 12:10:40 07/10/07 12:09:43 HTTP/sugi.cbs.dk at CBS.DK
Flags: FT, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, ArcFour with HMAC/md5
---
Still on Linux (using user in AD)
---
kinit mkj.lib at HHK.DK
Password for mkj.lib at HHK.DK:
[mkj at tux ~]$ klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at HHK.DK
Valid starting Expires Service principal
07/09/07 12:12:02 07/09/07 22:12:08 krbtgt/HHK.DK at HHK.DK
renew until 07/10/07 12:12:02, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
----
Web page says:
----
_SERVER["REMOTE_USER"]mkj.lib at HHK.DK
_SERVER["AUTH_TYPE"]Negotiate
----
klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib at HHK.DK
Valid starting Expires Service principal
07/09/07 12:12:02 07/09/07 22:12:08 krbtgt/HHK.DK at HHK.DK
renew until 07/10/07 12:12:02, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
07/09/07 12:12:40 07/09/07 22:12:08 krbtgt/CBS.DK at HHK.DK
renew until 07/10/07 12:12:02, Flags: FRAO
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
RSA-MD5
07/09/07 12:12:41 07/09/07 22:12:08 HTTP/sugi.cbs.dk at CBS.DK
renew until 07/09/07 12:12:41, Flags: FRAT
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, ArcFour
with HMAC/md5
----
Now on Windows joined to HHK.DK and logged in as "mkj.lib"
----
C:\Program Files\Resource Kit>klist tickets
Cached Tickets: (11)
Server: krbtgt/HHK.DK at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: krbtgt/HHK.DK at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: cifs/etrust.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: cifs/HHK-02 at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: cifs/ITS-AMO.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: cifs/ns1.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: cifs/HHK-02.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: cifs/NS2.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: ldap/NS2.hhk.dk/hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: LDAP/NS2.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
Server: host/tuxwin.hhk.dk at HHK.DK
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/9/2007 19:26:55
Renew Time: 7/16/2007 9:26:55
-----
But entering the the web page:
---
Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.
----
Apache error log:
----
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
130.226.36.172] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1432): [client
130.226.36.172] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1147): [client
130.226.36.172] Acquiring creds for HTTP/sugi.cbs.dk at CBS.DK
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1266): [client
130.226.36.172] Verifying client data using KRB5 GSS-API
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1282): [client
130.226.36.172] Verification returned code 589824
[Mon Jul 09 12:16:21 2007] [debug] src/mod_auth_kerb.c(1309): [client
130.226.36.172] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
[Mon Jul 09 12:16:21 2007] [error] [client 130.226.36.172]
gss_accept_sec_context() failed: Invalid token was supplied (No error)
----
I have followd alle the instructions, "Integrated logon is on", my sites
is in Local Sites and proxy is turned off. The same error is using
firefox, have set the trusted-uri and delegation-uris in about:config to
"cbs.dk,hhk.dk". (did the same under linux and it works).
Any help is appreciated
.htacces:
---
AuthType Kerberos
AuthName "CBS Login"
KrbAuthRealms CBS.DK HHK.DK
KrbServiceName HTTP/sugi.cbs.dk at CBS.DK
Krb5Keytab /etc/httpd/conf/httpd.keytab
KrbSaveCredentials on
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
----
Have tried with out KrbServiceName set and with "KrbServiceName HTTP"
and still no luck.
krb5.conf
----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CBS.DK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
noaddresses = no
[realms]
CBS.DK = {
kdc = kerberos.cbs.dk:88
admin_server = kerberos.cbs.dk:749
default_domain = cbs.dk
}
HHK.DK = {
kdc = ns1.hhk.dk:88
admin_server = ns1.hhk.dk:749
default_domain = hhk.dk
}
[domain_realm]
.cbs.dk = CBS.DK
cbs.dk = CBS.DK
.hhk.dk = HHK.DK
hhk.dk = HHK.DK
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-
kdc.conf
----
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
CBS.DK = {
#master_key_type = des3-hmac-sha1
supported_enctypes = rc4-hmac:normal des3-hmac-sha1:normal
arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
---
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N
Tlf: +45 2128 7793
email: mikkel at linet.dk
www: http://www.linet.dk
More information about the Kerberos
mailing list