Different behaviour of mod_auth_kerb depending on kerberos stack

Beier Michael M.Beier at enbw.com
Tue Oct 19 11:18:05 EDT 2010 

Hi,

we're using kerberos to authenticate our users accessing websites hosted on apache 2.2 webservers using mod_auth_kerb. Currently we're trying to update our kerberos-stack on SuSE linux from heimdal 0.7.2 to MIT 1.6.3 (this version comes with SuSE Linux Enterprise Server 11).

Currently we're running mulitple websites configured as virtual hosts in apache. All virtual hosts could be served using one single keytab file representing one single account in our active directory (win 2003) with one ServicePrincipalName for each virtual host.

The keytab file contains only one entry for "HTTP/hostname.enbw.net at ENBW.NET".

This worked fine, using the heimdal kerberos implementation, even if the browser (i.e. InternetExplorer 7) accesses a virtual host http://virtualhost.enbw.net/ and sends a ticket for the service HTTP/virtualhost.enbw.net.

Using the MIT implementation, accessing the virtualhost using firefox still works, because firefox does a reverse and forward dns-look and sends a kerberos ticket for HTTP/hostname.enbw.net, which is found in the keytab file. With InternetExplorer mod_auth_kerb declines the access to http://virtualhost.enbw.net, because it sends (actually the same) kerberos ticket (but) for HTTP/virtualhost.enbw.net, which is not found in the keytab file. Apache shows the following error:

gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Key table entry not found)

At the moment I've no really good ides how to solve this - the first idea was to create a separate account and keytab for each virtualhost, but the different behaviour of firefox and IE seem to make that impossible, because one ServicePrincipalName would have to be added to multiple accounts, but must be unique in active directory at the same time.

Can anyone provide me some help or idea, how to solve this?

Thanks and best regards,

Michael

Michael Beier
Team SIS OIOAW (Web Basis)

EnBW Systeme Infrastruktur Support GmbH
Durlacher Allee 93
76131 Karlsruhe

Tel.: +49 (7 21) 63 - 14545
Fax: +49 (7 21) 63 - 15099
mailto:m.beier at enbw.com

EnBW Systeme Infrastruktur Support GmbH
Sitz der Gesellschaft: Karlsruhe
Handelsregister: Amtsgericht Mannheim ‑ HRB 108550
Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
Geschäftsführer: Jochen Adenau, Hans-Günther Meier

More information about the Kerberos mailing list