Access problem Apache/mod_auth_kerb/AD

Florian.Dautermann@gmx.de Florian.Dautermann at gmx.de
Wed Nov 21 09:20:17 EST 2007 

Hi Mikkel,

thanks for the quick answer! Can you tell me how I switch to the internal SPNEGO? I did not find any information about that on the project web page nor on the internet.

Thanks,
Florian

thanks 

> Hi Florian
> 
> I had the same problem. There is an error in mod_auth_kerb when using
> the system SPNEGO. You have to use the mod_auth_kerb internal SPNEGO.
> 
> I was testing on RHEL5 and had to recompile with internal SPNEGO and it
> worked.
> 
> /Mikkel
> 
> On Wed, 2007-11-21 at 14:36 +0100, Florian Dautermann wrote:
> 
> > Hello,
> > 
> > I have a the following problem:
> > Our KDC is a Windows 2003 AD Server with address "company.corp" 
> > which is also the name of the domain. We have an Apache 
> > Webserver running on an OpenSuse with mod_auth_kerb (5.3). 
> > Its name is "department.location.company.corp". It has a 
> > valid keytab file (for 
> > HTTP/department.location.company.corp at company.corp) with 
> > which it can get tickets. The WebServer is accessed via
> "http://department.location.company.corp:1081/site".
> > 
> > Some hosts can access the WebServer correctly. 
> > 
> > The other hosts who cannot access the WebServer are 
> > Windows XP Pro machines, hooked into the domain with a 
> > domain user logged on. Access is not possible via: IE6, 
> > IE7, Mozilla despite correct configuration (Integrated 
> > Windows Authentication is on, correct zone is set...). 
> > Access is possible via the following ways: running the 
> > browsers explicitly as the users domain account; using 
> > MIT Kerberos for Windows in combination with mozilla 
> > (switching network.auth.use-sspi to false). Kerbtray 
> > shows a TGT in the MSLSA cache. 
> > 
> > In case of a failure, Apache log shows that the client 
> > is sending an NTLM token. Network sniffers show, that 
> > there is no communication between the client and the KDC.
> > 
> > One really funny thing about the whole thing is that 
> > the error appears exclusively if the user is in the local 
> > Administrators group. (User logs on; it is working; user 
> > is granted administrative rights; logs off and on again; 
> > it does not work). Removing the user from Administrator 
> > group again afterwards does not solve the problem.
> > 
> > I guess somehow the Microsoft SSPI is the problem, but
> > I do not know how to fix it.
> > 
> > Any ideas or thoughts are appreciated.
> > 
> > Thanks,
> > Florian
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> Med Venlig Hilsen / Kind Regards
> 
> 
> Mikkel Kruse
> Johnsen
> Adm.Dir.
> 
> Linet
> Ørholmgade 6 st tv
> Copenhagen N 2200
> Denmark
> 
> Work:    +45
> 21287793
> Mobile: +45
> 21287793
> Email:
> mikkel at linet.dk
> IM:
> mikkel at linet.dk
> (MSN)
>  Professional
> Profile
> Healthcare 
> 
> 
> Network
> Consultant

More information about the Kerberos mailing list