Kerberos/Apache receiving Active Directory user/password in plain text

Michael Ströder michael at stroeder.com
Tue Nov 3 02:04:09 EST 2009


LUISRAMOS wrote:
> 
> Michael Ströder wrote:
>> LUISRAMOS wrote:
>>> We have a unix web server with Apache were we installed kerberos to
>>> implement single sign on.
>> I guess you're using mod_auth_kerb?
>>
>>> The idea with this is to have the ability of autenticating through the
>>> Windows Active Directory once not needing to log again in the unix box.
>>> After the setup, the autentication works.  When we log in to the unix
>>> server, a popup window asks for user/pwd.  After entering user/pwd the
>>> credentials are autenticated against the windows active directory and
>>> the access to the unix/apache box is granted.  However, what we want is
>>> to avoid this login popup.  We noticed that when the popup window is
>>> displayed the following message is seeing in the popup:  "Warning: This
>>>  server is requesting that your username and password be sent in an 
>>> insecure manner (basic authentication without a secure connection).
>>> Looks like the internet browser is sending the credentials in plain
>>> text to the unix box.
>>>
>>> Anybody has an idea on how we can configure Kerberos, or any other 
>>> component to avoid this popup window.
>>
>> Set "KrbMethodK5Passwd off" in httpd.conf.
>>
>> See also: http://modauthkerb.sourceforge.net/configure.html
>
> Michael, I changed the parameter and got this message:
> 
> Authorization Required
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.

Well, you have to set up your environment to let the browser use SPNEGO/Kerberos.

Ciao, Michael.



More information about the Kerberos mailing list