Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

Nikhil mnikhil at gmail.com
Mon Nov 26 08:07:39 EST 2007 

run kerbtray.exe on windows system and try to purge all the available ticket
cache.

On Nov 26, 2007 6:08 PM, <f.d at gmx.eu> wrote:

> Sounds like the same problem I postet last week. Unfortunately I have not
> found a solution for it. If you find any, please let me know, I will do the
> same.
>
> Just to check:
> [ ] You have the "Enable Integrated Windows Authentication" chackbox
> checked and restarted your browser
> [ ] You have added the site you are contacting to your "local intranet
> zoone"
> [ ] In security Settings for intranet zone "Automatic logon only in
> intranet zone" is selected
>
> Regards,
> Florian
>
>
> -------- Original-Nachricht --------
> > Datum: Mon, 26 Nov 2007 03:04:43 -0800 (PST)
> > Von: palm <palma1977 at googlemail.com>
> > An: kerberos at mit.edu
> > Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for
> some  Users
>
> > hi,
> >
> > currently we had a heavy problem with our SSO configuration. u can see
> > in subject which configuration we have. its a apache2 with kerberos
> > modules and the users are in an MS active directory.
> >
> > everything works rather fine. but some of the users get a login
> > message dialog box few times a day. after the login with their
> > username and password everything works fine. some of them getting the
> > box again after a while and some don't.
> >
> > for the most of all users it works fine. but its not only a special
> > group who had this login box problem. the most of all users had
> > alleady this problem not
> >
> > when a User get the Login Box we found this messages in the Apache
> > logs :
> >
> > [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1483): [client
> > 192.168.2.115] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/
> > mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
> > entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03
> > 2007] [debug] src/mod_auth_kerb.c(1174): [client 192.168.2.115]
> > Acquiring creds for HTTP/webserver.maindomain.com at MAINDOMAIN.COM
> >
> > [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1314): [client
> > 192.168.2.115] Verifying client data using KRB5 GSS-API [Wed Nov 21
> > 12:11:03 2007] [debug] src/mod_auth_kerb.c(1330): [client
> > 192.168.2.115] Verification returned code 589824 [Wed Nov 21 12:11:03
> > 2007] [debug] src/mod_auth_kerb.c(1357): [client 192.168.2.115]
> > Warning: received token seems to be NTLM, which isn't supported by the
> > Kerberos module. Check your IE configuration.
> >
> > [Wed Nov 21 12:11:03 2007] [error] [client 192.168.2.115]
> > gss_accept_sec_context() failed: A token was invalid (Token header is
> > malformed or corrupt) [Wed Nov 21 12:24:11 2007] [debug] src/
> > mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
> > entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:24:11
> > 2007] [debug] src/mod_auth_kerb.c(943): [client 192.168.2.115] Using
> > HTTP/webserver.maindomain.com at MAINDOMAIN.COM as server principal for
> > password verification [Wed Nov 21 12:24:11 2007] [debug] src/
> > mod_auth_kerb.c(683): [client 192.168.2.115] Trying to get TGT for
> > user userpalm at MAINDOMAIN.COM [Wed Nov 21 12:24:11 2007] [debug] src/
> > mod_auth_kerb.c(597): [client 192.168.2.115] Trying to verify
> > authenticity of KDC using principal HTTP/
> > webserver.maindomain.com at MAINDOMAIN.COM
> >
> > The reason for that Problem is that the Browser tried to get a NTLM
> > Ticket but we dont know why .... everythings is configured for
> > Kerberos and for the most of all User it works fine. We check allready
> > different Browsers and we have this Problem with IE 6 & 7 and Firefox.
> >
> > I hope someone here had a great Idea what we can do.
> >
> > greetz
> > palm
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Nikhil

Google is Great !

More information about the Kerberos mailing list