strange behavior with modauthkerb, Active Directory, and IE7

Rohit Kumar Mehta rohitm at engr.uconn.edu
Wed Mar 7 13:48:52 EST 2007


Hi guys I configured modauthkerb according to the (very good) tutorial 
http://www.grolmsnet.de/kerbtut

Basic authentication was working from firefox, but failing from IE7.
So I cranked up the debuglevel in Apache and noticed some interesting 
things in the errorlog:

[Mon Mar 05 15:17:03 2007] [debug] src/mod_auth_kerb.c(1172): [client 
137.99.2.73] Acquiring creds for HTTP/sumo3.engr.uconn.edu at UCONN.EDU
[Mon Mar 05 15:17:03 2007] [error] [client 137.99.2.73] 
gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab 
matches desired name)
[Mon Mar 05 15:17:03 2007] [info] Connection to child 70 closed with 
unclean shutdown(server people.engr.uconn.edu:443, client 137.99.2.73)
[Mo

This was odd because our Kerberos realm is AD.ENGR.UCONN.EDU, and the 
principle I created with ktpass.exe was 
HTTP/sumo3.engr.uconn.edu at AD.ENGR.UCONN.EDU
Why was it changing the REALM to UCONN.EDU?

My /etc/krb5.conf was pretty straightforward and in no place defined the 
realm UCONN.EDU, and my .htaccess file looked like this:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms AD.ENGR.UCONN.EDU
KrbServiceName HTTP
KrbVerifyKDC off
KrbMethodNegotiate on
KrbSaveCredentials off
Krb5Keytab /etc/krb5.keytab
require valid-user


If I changed the KrbMethodNegotiate to off, then IE7 would let me login 
by typing my username and password. However, since I was logging on to 
the Windows domain, I should be able to authenticate with kerberos, so I 
turned KrbMethodNegotiate back on and was unable to authenticate with 
IE7 again.  Changing my KrbServiceName to 
HTTP/sumo3.engr.uconn.edu at AD.ENGR.UCONN.EDU did the trick.
Now IE will let me authenticate without typing my password (using my TGT?)

Things are working the way I want them now.  Are there any problems with 
my configuration? Does anyone know how my realm got confused?

Thanks for any help!

Rohit




More information about the Kerberos mailing list