Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

f.d@gmx.eu f.d at gmx.eu
Mon Nov 26 07:38:43 EST 2007


Sounds like the same problem I postet last week. Unfortunately I have not found a solution for it. If you find any, please let me know, I will do the same.

Just to check:
[ ] You have the "Enable Integrated Windows Authentication" chackbox checked and restarted your browser
[ ] You have added the site you are contacting to your "local intranet zoone" 
[ ] In security Settings for intranet zone "Automatic logon only in intranet zone" is selected

Regards,
Florian


-------- Original-Nachricht --------
> Datum: Mon, 26 Nov 2007 03:04:43 -0800 (PST)
> Von: palm <palma1977 at googlemail.com>
> An: kerberos at mit.edu
> Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some 	Users

> hi,
> 
> currently we had a heavy problem with our SSO configuration. u can see
> in subject which configuration we have. its a apache2 with kerberos
> modules and the users are in an MS active directory.
> 
> everything works rather fine. but some of the users get a login
> message dialog box few times a day. after the login with their
> username and password everything works fine. some of them getting the
> box again after a while and some don't.
> 
> for the most of all users it works fine. but its not only a special
> group who had this login box problem. the most of all users had
> alleady this problem not
> 
> when a User get the Login Box we found this messages in the Apache
> logs :
> 
> [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1483): [client
> 192.168.2.115] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/
> mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
> entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03
> 2007] [debug] src/mod_auth_kerb.c(1174): [client 192.168.2.115]
> Acquiring creds for HTTP/webserver.maindomain.com at MAINDOMAIN.COM
> 
> [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1314): [client
> 192.168.2.115] Verifying client data using KRB5 GSS-API [Wed Nov 21
> 12:11:03 2007] [debug] src/mod_auth_kerb.c(1330): [client
> 192.168.2.115] Verification returned code 589824 [Wed Nov 21 12:11:03
> 2007] [debug] src/mod_auth_kerb.c(1357): [client 192.168.2.115]
> Warning: received token seems to be NTLM, which isn't supported by the
> Kerberos module. Check your IE configuration.
> 
> [Wed Nov 21 12:11:03 2007] [error] [client 192.168.2.115]
> gss_accept_sec_context() failed: A token was invalid (Token header is
> malformed or corrupt) [Wed Nov 21 12:24:11 2007] [debug] src/
> mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
> entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:24:11
> 2007] [debug] src/mod_auth_kerb.c(943): [client 192.168.2.115] Using
> HTTP/webserver.maindomain.com at MAINDOMAIN.COM as server principal for
> password verification [Wed Nov 21 12:24:11 2007] [debug] src/
> mod_auth_kerb.c(683): [client 192.168.2.115] Trying to get TGT for
> user userpalm at MAINDOMAIN.COM [Wed Nov 21 12:24:11 2007] [debug] src/
> mod_auth_kerb.c(597): [client 192.168.2.115] Trying to verify
> authenticity of KDC using principal HTTP/
> webserver.maindomain.com at MAINDOMAIN.COM
> 
> The reason for that Problem is that the Browser tried to get a NTLM
> Ticket but we dont know why .... everythings is configured for
> Kerberos and for the most of all User it works fine. We check allready
> different Browsers and we have this Problem with IE 6 & 7 and Firefox.
> 
> I hope someone here had a great Idea what we can do.
> 
> greetz
> palm
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list