ok_as_delegation status

Kronus David kronda at atlas.cz
Mon May 18 07:03:21 EDT 2009

 Hi all,
I'm trying to use the following setup (everything on Linux): 
   server: Apache2 + mod_auth_kerb + MIT KDC 
   klient: Firefox with properly configured MIT Kerberos support for the local server
User has a kerberos ticket in its cache and is able to access protected webpage using firefox without entering their password, the ticket for HTTP/<server> is being successfully obtained. However, in .htaccess of that webpage I have set KrbSaveCredentials and this setting is only working when I enter the password for authentication directly, not use the ticket from cache to authenticate. In apache log I can see the following when not entering the password:

[Mon May 18 11:41:25 2009] [error] [client] Cannot store delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (No error)), referer: http://<server>/php/test.php

I've found on several pages that this is related to the ok_as_delegate flag set for HTTP/<server> principal. So my first question is, whether this is true, whether this is needed in my situation. And if yes then my second question is how can I set this flag in kadmin (or any other way)? I've seen some activity going on on this feature recently in MIT Kerberos svn, so maybe it will be available in the next release of MIT Kerberos? I'm using version 1.6.3.

Thanks for any help.

More information about the Kerberos mailing list