Microsoft SSPI error - Security System was unable to authenticate to the server HTTP/host because the server has completed the authentication, but the client authentication protocol Kerberos has not

Alon Bar-Lev alon.barlev at gmail.com
Mon Oct 3 10:12:30 EDT 2011 

Hello,

I have configuration of active directory 2003 r2 sp3 working with
linux mod_auth_kerb.
I use SPNEGO for subversion.
When using Linux all work great!
When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.

Problem is subversion which uses neon, it get the following:
---
Running post_send hooks
ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA
DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u
DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2
auth: SSPI challenge.
InitializeSecurityContext [fail] [80090304].
sspi: initializeSecurityContext [failed] [80090304].
---

At windows event log I see the following:
---
Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40962
Date:		10/3/2011
Time:		3:55:38 PM
User:		N/A
Computer:	VALON
Description:
The Security System was unable to authenticate to the server
HTTP/correlux-gentoo.correlsense.com because the server has completed
the authentication, but the client authentication protocol Kerberos
has not.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---

Had anyone seen this before?
I tried many configurations, but without success:
---
Gentoo
---
dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f
www-servers/apache-2.2.21
www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1
net-fs/samba-3.5.11
app-crypt/mit-krb5-1.9.1 -> also downgraded to 1.6.3
---

The strange thing is that I have centos server on the same network
with *MUCH* older packages and it does work...
---
CentOS
---
openssl-0.9.8e-20.el5
httpd-2.2.3-53.el5.centos.1
mod_ssl-2.2.3-53.el5.centos.1
mod_auth_kerb-5.1-3.el5
samba-3.0.33-3.29.el5_7.4
krb5-workstation-1.6.1-62.el5
---

I cannot reach this old state at Gentoo, but I cannot explain the
difference between the two machines, I use the same procedure to add
them to the domain:
<edit smb.conf>
net ads join
net ads keytab create
net ads keytab add HTTP cifs

The same configuration for both.

I don't know how to activate logs at Microsoft end...
I tried to add Lsa\Kerberos\Parameters debug and logging keys but
nothing is generated.

Any clue?

Thanks,
Alon.

More information about the Kerberos mailing list