windows 2003 domain controller, mod_auth_kerb in linux, issuewitt kerberos

Christopher D. Clausen cclausen at acm.org
Wed Jul 15 12:06:19 EDT 2009 

Windows AD accounts require "allow this account to be trusted for 
delegation" to have Internet Explore actually delegate credentials to 
the web server (which you are requesting via the KrbSaveCredentials On 
parameter.)  Try turning this off and see if it does what you want.

Also, (and this is probably more likely the problem) if you need to 
enable KrbVerifyKDC off, something is probably broken with your keytab. 
You should fix it and enable the verification step.  This will probably 
allow IE to work better and actually send GSSAPI and not NTLM data.

<<CDC

Nikolay Shopik <shopik at inblock.ru> wrote:
> And you are enabled "Integrated windows authentication" option in IE6,
> don't you?
>
> On 10.07.2009 19:20, Ahmar Nauman wrote:
>>
>>   Hi,
>>
>>   I'm using windows server 2003 as domain controller,
>>   i've succesfully followed all the necessary steps required for
>>   setting up an SSO, generated keytab files which gives me correct
>> info if i type klist -k , integrated mod_auth_kerb and configured
>> machines. My browser setting are just fine as well,
>>
>>
>>   My httpd.conf is like
>>   <Location /myURL
>>   AuthType Kerberos
>>   AuthName "Test Kerberos Login"
>>   KrbVerifyKDC off # it doesn't work if i remove this line
>>   KrbMethodNegotiate On
>>   KrbMethodK5Passwd On
>>   KrbAuthRealms LAB1.DIGIDENT-SOLUTIONS.COM
>>   Krb5KeyTab /etc/krb5.keytab
>>   KrbSaveCredentials On
>>   KrbServiceName HTTP
>>   require valid-user
>>   </Location
>>
>>   Now when i tried to test from IE(v 6) it open a login box, if i
>> supply username and password as setup in active directory, it allows
>> me to enter. I dont want to get this login box, so if i change
>> KrbMethodK5Passwd to Off, it simply refuses me to get in by
>> Authorization Required message in browser and in apache logs, i get
>> the following errors,
>>
>>   [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1266):
>>   [client x.x.x.x] Verifying client data using KRB5 GSS-API [Fri Jul
>>   10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1282): [client
>>   ......] Verification returned code 589824 [Fri Jul 10 20:31:25
>> 2009] [debug] src/mod_auth_kerb.c(1309): [client ......] Warning:
>> received token seems to be NTLM, which isn't supported by the
>> Kerberos module. Check your IE configuration. [Fri Jul 10 20:31:25
>> 2009] [error] [client ......9] gss_accept_sec_context() failed:
>> Invalid token was supplied (No error)
>>
>>   I'm trying to resolve this issue, but nothing work out so far.
>>   Can anybody please help here??
>>
>>   regards
>>   - Ahmar

More information about the Kerberos mailing list