Error while adding new realm to krb5.conf

Sangodkar, Sanket sanket.sangodkar at atos.net
Mon Dec 19 08:34:03 EST 2011 

Hi,

 

We have configured SSO using Kerberos v5 with Apache Http Server.

 

The keytab which being created is of encryption type - DES-CBC-MD5

 

We are currently facing issue with Automatic authentication using LDAP;
the SSO was implemented properly and deployed successfully. But without
any configuration changes on server where apache and Kerberos are
deployed, SSO is failing to login automatically.

 

We checked the logs of and found one difference -

 

During working time of SSO the log was updated with following details - 

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Acquiring creds for HTTP/DOMAIN at XXX.XXX.COM

Verifying client data using SPNEGO GSS-API

Verification returned code 0

GSS-API token of length 161 bytes will be sent back

 

Currently log is updated with following trace -

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Acquiring creds for HTTP/DOMAIN at XXX.XXX.COM

Verifying client data using KRB5 GSS-API

Verification returned code 65536

Warning: received token seems to be NTLM, which isn't supported by the
Kerberos module. Check your IE configuration.

gss_accept_sec_context() failed: An unsupported mechanism was requested
(Unknown error)

 

 

Is it the issue occurred since the encryption from browser is different
?

 

 

We also tested kinit command for specific username under the domain
XXX.XXX.COM and kinit is executed successfully.

 

Can you please advise us to resolve this issue ?

 

 

Thanks and Regards,

 

Sanket

 



This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

More information about the Kerberos mailing list