Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
palm
palma1977 at googlemail.com
Mon Nov 26 06:04:43 EST 2007
hi,
currently we had a heavy problem with our SSO configuration. u can see
in subject which configuration we have. its a apache2 with kerberos
modules and the users are in an MS active directory.
everything works rather fine. but some of the users get a login
message dialog box few times a day. after the login with their
username and password everything works fine. some of them getting the
box again after a while and some don't.
for the most of all users it works fine. but its not only a special
group who had this login box problem. the most of all users had
alleady this problem not
when a User get the Login Box we found this messages in the Apache
logs :
[Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1483): [client
192.168.2.115] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/
mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03
2007] [debug] src/mod_auth_kerb.c(1174): [client 192.168.2.115]
Acquiring creds for HTTP/webserver.maindomain.com at MAINDOMAIN.COM
[Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1314): [client
192.168.2.115] Verifying client data using KRB5 GSS-API [Wed Nov 21
12:11:03 2007] [debug] src/mod_auth_kerb.c(1330): [client
192.168.2.115] Verification returned code 589824 [Wed Nov 21 12:11:03
2007] [debug] src/mod_auth_kerb.c(1357): [client 192.168.2.115]
Warning: received token seems to be NTLM, which isn't supported by the
Kerberos module. Check your IE configuration.
[Wed Nov 21 12:11:03 2007] [error] [client 192.168.2.115]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt) [Wed Nov 21 12:24:11 2007] [debug] src/
mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:24:11
2007] [debug] src/mod_auth_kerb.c(943): [client 192.168.2.115] Using
HTTP/webserver.maindomain.com at MAINDOMAIN.COM as server principal for
password verification [Wed Nov 21 12:24:11 2007] [debug] src/
mod_auth_kerb.c(683): [client 192.168.2.115] Trying to get TGT for
user userpalm at MAINDOMAIN.COM [Wed Nov 21 12:24:11 2007] [debug] src/
mod_auth_kerb.c(597): [client 192.168.2.115] Trying to verify
authenticity of KDC using principal HTTP/
webserver.maindomain.com at MAINDOMAIN.COM
The reason for that Problem is that the Browser tried to get a NTLM
Ticket but we dont know why .... everythings is configured for
Kerberos and for the most of all User it works fine. We check allready
different Browsers and we have this Problem with IE 6 & 7 and Firefox.
I hope someone here had a great Idea what we can do.
greetz
palm
More information about the Kerberos
mailing list