Kerberos/Apache receiving Active Directory user/password in plain text

Douglas E. Engert deengert at anl.gov
Fri Nov 6 14:40:46 EST 2009



LUISRAMOS wrote:
> We tried using the GSS module and it worked smoothly for Solaris 10, since
> the apache for this solaris version brings all the needed modules off the
> shelf.  However, we havent been able to make it work in Solaris 9,  looks
> like we might be having an issue with the libraries needed to replicate the
> same components Solaris 10 has.  When we look at the error logs for Solaris
> 9 this is what we get.
> 
> Client wants GSS mech: <unknown>
> 
> For Solaris 10, which it works nicely this is the meesage:
> 
> Client wants GSS mech: spnego
> 
> We are testing different alternatives with the compilation of the gss module
> to see what could we be missing.
> 

Solaris 9 is pretty old, and Sun did not expose the Kerberos API. We always
used the MIT Kerberos on Solair 9. Solaris 10 is much better, and Sun keeps it
more up to date, and has exposed the Kerberos API.

If you are not on the  modauthkerb-help at lists.sourceforge.net you should be.
There is a Solaris discussion going on there.


> Regards
> 
> 
> 
> Michael Ströder wrote:
>> LUISRAMOS wrote:
>>> Michael Ströder wrote:
>>>> LUISRAMOS wrote:
>>>>> We have a unix web server with Apache were we installed kerberos to
>>>>> implement single sign on.
>>>> I guess you're using mod_auth_kerb?
>>>>
>>>>> The idea with this is to have the ability of autenticating through the
>>>>> Windows Active Directory once not needing to log again in the unix box.
>>>>> After the setup, the autentication works.  When we log in to the unix
>>>>> server, a popup window asks for user/pwd.  After entering user/pwd the
>>>>> credentials are autenticated against the windows active directory and
>>>>> the access to the unix/apache box is granted.  However, what we want is
>>>>> to avoid this login popup.  We noticed that when the popup window is
>>>>> displayed the following message is seeing in the popup:  "Warning: This
>>>>>  server is requesting that your username and password be sent in an 
>>>>> insecure manner (basic authentication without a secure connection).
>>>>> Looks like the internet browser is sending the credentials in plain
>>>>> text to the unix box.
>>>>>
>>>>> Anybody has an idea on how we can configure Kerberos, or any other 
>>>>> component to avoid this popup window.
>>>> Set "KrbMethodK5Passwd off" in httpd.conf.
>>>>
>>>> See also: http://modauthkerb.sourceforge.net/configure.html
>>> Michael, I changed the parameter and got this message:
>>>
>>> Authorization Required
>>> This server could not verify that you are authorized to access the
>>> document
>>> requested. Either you supplied the wrong credentials (e.g., bad
>>> password),
>>> or your browser doesn't understand how to supply the credentials
>>> required.
>> Well, you have to set up your environment to let the browser use
>> SPNEGO/Kerberos.
>>
>> Ciao, Michael.
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list