mod_auth_kerb: gss_accept_sec_context() failed

Michael Ströder michael at stroeder.com
Tue Jan 20 15:20:49 EST 2009 

Michael Ströder wrote:
> Andrew Cobaugh wrote:
>> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <michael at stroeder.com> wrote:
>>> HI!
>>>
>>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
>>> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
>>> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
>>> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
>>> initialized.
>>>
>>> The web browser is Seamonkey and it already sends the
>>> Authorization: Negotiate YIIE0AYGKwYBBQ[..]
>>> in the HTTP request.
>>>
>>> But it does not work. I don't get authorized HTTP access.
>>> In Apache's error_log I find:
>>> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor
>>> code may provide more information (, Decrypt integrity check failed)
>> Are you sure that the keytab specified by Krb5Keytab is consistent
>> with the HTTP service principal that is in AD? That message is the
>> same as saying "your password is wrong."
> 
> Yes, I'm pretty sure. Krb5Keytab points to the file I've extracted with
> ktpass.exe and the command-line tool 'strings' extracts the right
> Kerberos realm, "HTTP" and fully-qualified domain name of the server.
> 
> How can I gather more debug log messages?

Well, I set LogLevel debug in httpd.conf now and got the following
messages in Apache's error_log:

------------------------------ snip ------------------------------
[debug] src/mod_auth_kerb.c(1635): [client 10.1.1.5]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1635): [client 10.1.1.5]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1247): [client 10.1.1.5] Acquiring creds for
HTTP/nb2.stroeder.local at DOM2.ADTEST.LOCAL
[debug] src/mod_auth_kerb.c(1392): [client 10.1.1.5] Verifying client
data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1408): [client 10.1.1.5] Client didn't
delegate us their credential
[debug] src/mod_auth_kerb.c(1108): [client 10.1.1.5] GSS-API
major_status:000d0000, minor_status:96c73a1f
[error] [client 10.1.1.5] gss_accept_sec_context() failed: Unspecified
GSS failure.  Minor code may provide more information (, Decrypt
integrity check failed)
------------------------------ snip ------------------------------

Hmm...

>> Also, if you're going to use mod_auth_kerb to do GSS, you'll need a
>> patch so that mod_auth_kerb sets up the GSS environment correclty, so
>> that your application will use the correct KRB5CCNAME:
>>
>> http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch
> 
> Many thanks for this information!

I've applied this patch.

Ciao, Michael.

More information about the Kerberos mailing list