strange behavior with modauthkerb, Active Directory, and IE7
Rohit Kumar Mehta
rohitm at engr.uconn.edu
Wed Mar 7 13:48:52 EST 2007
Hi guys I configured modauthkerb according to the (very good) tutorial
http://www.grolmsnet.de/kerbtut
Basic authentication was working from firefox, but failing from IE7.
So I cranked up the debuglevel in Apache and noticed some interesting
things in the errorlog:
[Mon Mar 05 15:17:03 2007] [debug] src/mod_auth_kerb.c(1172): [client
137.99.2.73] Acquiring creds for HTTP/sumo3.engr.uconn.edu at UCONN.EDU
[Mon Mar 05 15:17:03 2007] [error] [client 137.99.2.73]
gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab
matches desired name)
[Mon Mar 05 15:17:03 2007] [info] Connection to child 70 closed with
unclean shutdown(server people.engr.uconn.edu:443, client 137.99.2.73)
[Mo
This was odd because our Kerberos realm is AD.ENGR.UCONN.EDU, and the
principle I created with ktpass.exe was
HTTP/sumo3.engr.uconn.edu at AD.ENGR.UCONN.EDU
Why was it changing the REALM to UCONN.EDU?
My /etc/krb5.conf was pretty straightforward and in no place defined the
realm UCONN.EDU, and my .htaccess file looked like this:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms AD.ENGR.UCONN.EDU
KrbServiceName HTTP
KrbVerifyKDC off
KrbMethodNegotiate on
KrbSaveCredentials off
Krb5Keytab /etc/krb5.keytab
require valid-user
If I changed the KrbMethodNegotiate to off, then IE7 would let me login
by typing my username and password. However, since I was logging on to
the Windows domain, I should be able to authenticate with kerberos, so I
turned KrbMethodNegotiate back on and was unable to authenticate with
IE7 again. Changing my KrbServiceName to
HTTP/sumo3.engr.uconn.edu at AD.ENGR.UCONN.EDU did the trick.
Now IE will let me authenticate without typing my password (using my TGT?)
Things are working the way I want them now. Are there any problems with
my configuration? Does anyone know how my realm got confused?
Thanks for any help!
Rohit
More information about the Kerberos
mailing list