[mod_auth_kerb] Use of Kerberos with multiple vhost
Yves-Alexis Perez
corsac at corsac.net
Thu Apr 23 10:16:35 EDT 2009
Hi,
I'm trying to setup a system where users are in an active directory and
we use some Linux servers, using apache and mod_auth_kerb. I've
successfully managed to use kerberos to authenticate from a Windows XP
workstation (and from a kerberized Linux box) to the webserver if I use
the fqdn of the server. Using a virtualhost which doesn't point to the
fqdn doesn't work.
I've created the keytab using the ktpass util on the PDC, and the
principal name is HTTP/fqdn.example.net at REALM.EXAMPLE.NET
I then use:
AuthType Kerberos
KrbMethodNegotiate On
KrbServiceName HTTP/fqdn.example.net
KrbAuthRealms REALM
require valid-user
to protect a directory accessible from http://fqdn.example.net/~user/
and another directory accessible using http://vhost.example.net/.
The former works while the latter doesn't
fqdn.example.net has a correct reverse while vhost.example.net doesn't,
but forcing it in the various /etc/hosts involved doesn't work.
Looking at the logs it seems that firefox and internet explorer don't
even try to start to negociate Kerberos auth from the vhost one.
I'm wondering if I should use one principal per vhost (which doesn't
scale very well).
oh, btw I'm using krb5 1.6.1 from RHEL5.
Thanks for any help (please let my CC: on reply cause I'm not subsribed
to the list).
Cheers,
--
Yves-Alexis
More information about the Kerberos
mailing list