mod_auth_kerb: gss_accept_sec_context() failed

Michael Ströder michael at stroeder.com
Mon Jan 19 11:32:28 EST 2009


Andrew Cobaugh wrote:
> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <michael at stroeder.com> wrote:
>> HI!
>>
>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
>> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
>> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
>> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
>> initialized.
>>
>> The web browser is Seamonkey and it already sends the
>> Authorization: Negotiate YIIE0AYGKwYBBQ[..]
>> in the HTTP request.
>>
>> But it does not work. I don't get authorized HTTP access.
>> In Apache's error_log I find:
>> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor
>> code may provide more information (, Decrypt integrity check failed)
> 
> Are you sure that the keytab specified by Krb5Keytab is consistent
> with the HTTP service principal that is in AD? That message is the
> same as saying "your password is wrong."

Yes, I'm pretty sure. Krb5Keytab points to the file I've extracted with
ktpass.exe and the command-line tool 'strings' extracts the right
Kerberos realm, "HTTP" and fully-qualified domain name of the server.

How can I gather more debug log messages?

> Also, if you're going to use mod_auth_kerb to do GSS, you'll need a
> patch so that mod_auth_kerb sets up the GSS environment correclty, so
> that your application will use the correct KRB5CCNAME:
> 
> http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch

Many thanks for this information!

Ciao, Michael.



More information about the Kerberos mailing list