Michael B Allen ioplex at gmail.com
Tue Sep 16 17:48:21 EDT 2008

On Tue, Sep 16, 2008 at 4:15 PM, Tuomas <tuomaksen.spammiposti at gmail.com> wrote:
> Michael B Allen wrote:
>> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
>> <tuomaksen.spammiposti at gmail.com> wrote:
>>> I also found out using wireshark what Internet Explorer does when it
>>> fails to authenticate using Kerberos. It asks a ticket from the Active
>>> Directory server for HTTP/virtualhost.domain.com instead of
>>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
>>> anyone found solutions for this?
>> That's not a bug. You will need to add SPNs to the desired account
>> (using setspn) for each virtual hostname.
> I see, just can't understand why this is happening occasionally. At
> least it makes things harder.
> Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still
> didn't work as they should. Now i apache's error.log I get:
> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> may provide more information (Key table entry not found)
> I understand that I should have also virtualhost.domain.com defined in
> my keytab, just don't have any idea how to do that.

Actually I think I might know why you're getting an error (I don't
know a lot about mod_auth_kerb - I know a lot more about what is
possible protocol-wise as opposed to what mod_auth_kerb can do).

A keytab file can have multiple principals (SPNs in this case). For
example, our Plexcel product automatically generates a keytab with all
of the SPNs set on the HTTP service account. But now that I think
about it, because mod_auth_kerb relies on ktpass.exe to generate the
keytab file, and because ktpass can only generate the said keytab file
with one principal, it has to be that one SPN you want to use.

Meaning I suspect you have to run ktpass to generate a keytab file
*with the specific SPN* you want to use.

You might want to bring your problem to the mod_auth_kerb mailing
list. They would certainly know better than I how to set this up. I'm
happy to give you my best guess here but again, I'm not terribly
familiar with mod_auth_kerb's nuances.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list