mod_auth_kerb: gss_accept_sec_context() failed

Andrew Cobaugh phalenor at gmail.com
Fri Jan 16 15:49:12 EST 2009


On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <michael at stroeder.com> wrote:
> HI!
>
> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
> initialized.
>
> The web browser is Seamonkey and it already sends the
> Authorization: Negotiate YIIE0AYGKwYBBQ[..]
> in the HTTP request.
>
> But it does not work. I don't get authorized HTTP access.
> In Apache's error_log I find:
> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor
> code may provide more information (, Decrypt integrity check failed)

Are you sure that the keytab specified by Krb5Keytab is consistent
with the HTTP service principal that is in AD? That message is the
same as saying "your password is wrong."

Also, if you're going to use mod_auth_kerb to do GSS, you'll need a
patch so that mod_auth_kerb sets up the GSS environment correclty, so
that your application will use the correct KRB5CCNAME:

http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch

--andy




More information about the Kerberos mailing list