Access problem Apache/mod_auth_kerb/AD

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Nov 21 09:00:09 EST 2007 

Hi Florian

I had the same problem. There is an error in mod_auth_kerb when using
the system SPNEGO. You have to use the mod_auth_kerb internal SPNEGO.

I was testing on RHEL5 and had to recompile with internal SPNEGO and it
worked.

/Mikkel

On Wed, 2007-11-21 at 14:36 +0100, Florian Dautermann wrote:

> Hello,
> 
> I have a the following problem:
> Our KDC is a Windows 2003 AD Server with address "company.corp" 
> which is also the name of the domain. We have an Apache 
> Webserver running on an OpenSuse with mod_auth_kerb (5.3). 
> Its name is "department.location.company.corp". It has a 
> valid keytab file (for 
> HTTP/department.location.company.corp at company.corp) with 
> which it can get tickets. The WebServer is accessed via "http://department.location.company.corp:1081/site".
> 
> Some hosts can access the WebServer correctly. 
> 
> The other hosts who cannot access the WebServer are 
> Windows XP Pro machines, hooked into the domain with a 
> domain user logged on. Access is not possible via: IE6, 
> IE7, Mozilla despite correct configuration (Integrated 
> Windows Authentication is on, correct zone is set...). 
> Access is possible via the following ways: running the 
> browsers explicitly as the users domain account; using 
> MIT Kerberos for Windows in combination with mozilla 
> (switching network.auth.use-sspi to false). Kerbtray 
> shows a TGT in the MSLSA cache. 
> 
> In case of a failure, Apache log shows that the client 
> is sending an NTLM token. Network sniffers show, that 
> there is no communication between the client and the KDC.
> 
> One really funny thing about the whole thing is that 
> the error appears exclusively if the user is in the local 
> Administrators group. (User logs on; it is working; user 
> is granted administrative rights; logs off and on again; 
> it does not work). Removing the user from Administrator 
> group again afterwards does not solve the problem.
> 
> I guess somehow the Microsoft SSPI is the problem, but
> I do not know how to fix it.
> 
> Any ideas or thoughts are appreciated.
> 
> Thanks,
> Florian
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

Med Venlig Hilsen / Kind Regards


Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work:    +45
21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant

More information about the Kerberos mailing list