Kerberos/Apache receiving Active Directory user/password in plain text

LUISRAMOS LUIS.RAMOS at PFIZER.COM
Fri Nov 6 13:12:50 EST 2009


We tried using the GSS module and it worked smoothly for Solaris 10, since
the apache for this solaris version brings all the needed modules off the
shelf.  However, we havent been able to make it work in Solaris 9,  looks
like we might be having an issue with the libraries needed to replicate the
same components Solaris 10 has.  When we look at the error logs for Solaris
9 this is what we get.

Client wants GSS mech: <unknown>

For Solaris 10, which it works nicely this is the meesage:

Client wants GSS mech: spnego

We are testing different alternatives with the compilation of the gss module
to see what could we be missing.

Regards



Michael Ströder wrote:
> 
> LUISRAMOS wrote:
>> 
>> Michael Ströder wrote:
>>> LUISRAMOS wrote:
>>>> We have a unix web server with Apache were we installed kerberos to
>>>> implement single sign on.
>>> I guess you're using mod_auth_kerb?
>>>
>>>> The idea with this is to have the ability of autenticating through the
>>>> Windows Active Directory once not needing to log again in the unix box.
>>>> After the setup, the autentication works.  When we log in to the unix
>>>> server, a popup window asks for user/pwd.  After entering user/pwd the
>>>> credentials are autenticated against the windows active directory and
>>>> the access to the unix/apache box is granted.  However, what we want is
>>>> to avoid this login popup.  We noticed that when the popup window is
>>>> displayed the following message is seeing in the popup:  "Warning: This
>>>>  server is requesting that your username and password be sent in an 
>>>> insecure manner (basic authentication without a secure connection).
>>>> Looks like the internet browser is sending the credentials in plain
>>>> text to the unix box.
>>>>
>>>> Anybody has an idea on how we can configure Kerberos, or any other 
>>>> component to avoid this popup window.
>>>
>>> Set "KrbMethodK5Passwd off" in httpd.conf.
>>>
>>> See also: http://modauthkerb.sourceforge.net/configure.html
>>
>> Michael, I changed the parameter and got this message:
>> 
>> Authorization Required
>> This server could not verify that you are authorized to access the
>> document
>> requested. Either you supplied the wrong credentials (e.g., bad
>> password),
>> or your browser doesn't understand how to supply the credentials
>> required.
> 
> Well, you have to set up your environment to let the browser use
> SPNEGO/Kerberos.
> 
> Ciao, Michael.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://old.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26230848.html
Sent from the Kerberos - General mailing list archive at Nabble.com.





More information about the Kerberos mailing list