[solved] Using Apache with mod_auth_kerb

Ansgar Burchardt ansgar at 2008.43-1.org
Tue Dec 2 16:50:03 EST 2008


Russ Allbery <rra at stanford.edu> writes:
> Ansgar Burchardt <ansgar at 2008.43-1.org> writes:
>> I have a small problem with mod_auth_kerb and Firefox 3.0:  While
>> authenticating via Kerberos works fine from a computer located in the
>> same domain, I cannot get Firefox to authenticate from my home computer.
> After you try to visit the web site in question, run klist.  Does an
> HTTP/* ticket for the web server show up in your ticket cache?  If so,
> something is going wrong with the Negotiate-Auth part of Firefox's code;
> if not, you probably have a more basic problem with mapping the web server
> to an existing Kerberos principal.

I have found the problem: Firefox seems to require that the Kerberos
service principal matches the domain name entered in the address bar,
while Konqueror was satisfied with the service principal matching the
host name of the server.

I added another service principal "HTTP/www.example.com" (only had
"HTTP/server.example.com" before) and put "KrbServiceName Any" in the
Apache configuration and everything works now.

> Make sure that your realm mappings are correct in your /etc/krb5.conf
> file, for example.  That's often the problem.

The krb5.conf only has the default_realm, all other options can be
obtained via DNS here.  This makes using Kerberos from home much easier
to set up.


PGP: 1024D/595FAD19  739E 2D09 0969 BEA9 9797  B055 DDB0 2FF7 595F AD19

More information about the Kerberos mailing list