MIT Kerberos problem with Windows clients

Fri Jan 17 08:02:53 EST 2014

Hi Robert & Benjamin 

First of all, thank you for your answers! 

@Benjamin: I set 'network.auth.use-sspi=false' in the about:config, restart firefox and indeed it worked! 

But now I have another issue which is certainly caused by the use of the Checkpoint VPN. When accessing to a kerberized application, in the Apache logs, the same sequence is repeated so many times and the only thing that changes is the 'referer':

[Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1628): [client < VPN Internal IP>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1240): [client < VPN Internal IP>] Acquiring creds for HTTP/ uvw.realm.com at REALM.COM
[Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1385): [client < VPN Internal IP>] Verifying client data using KRB5 GSS-API
[Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1401): [client < VPN Internal IP>] Client delegated us their credential
[Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1420): [client < VPN Internal IP>] GSS-API token of length 22 bytes will be sent back 

[Thu Jan 17 09:28:45 2014] [debug] src/mod_auth_kerb.c(1628): [client < VPN Internal IP>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://uvw.realm.com/
[Thu Jan 17 09:28:45 2014] [debug] src/mod_auth_kerb.c(1240): [client < VPN Internal IP>] Acquiring creds for HTTP/ uvw.realm.com at REALM.COM , referer: http://uvw.realm.com/
[Thu Jan 17 09:28:45 2014] [debug] src/mod_auth_kerb.c(1385): [client < VPN Internal IP>] Verifying client data using KRB5 GSS-API , referer: http://uvw.realm.com/
[Thu Jan 17 09:28:45 2014] [debug] src/mod_auth_kerb.c(1401): [client < VPN Internal IP>] Client delegated us their credential , referer: http://uvw.realm.com/
[Thu Jan 17 09:28:45 2014] [debug] src/mod_auth_kerb.c(1420): [client < VPN Internal IP>] GSS-API token of length 22 bytes will be sent back , referer: http://uvw.realm.com/ 

[Thu Jan 17 09:29:01 2014] [debug] src/mod_auth_kerb.c(1628): [client < VPN Internal IP>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://uvw.realm.com/ theme/css/main.css?...
[Thu Jan 17 09:29:01 2014] [debug] src/mod_auth_kerb.c(1240): [client < VPN Internal IP>] Acquiring creds for HTTP/ uvw.realm.com at REALM.COM , referer: http://uvw.realm.com/ theme/css/main.css?...
[Thu Jan 17 09:29:01 2014] [debug] src/mod_auth_kerb.c(1385): [client < VPN Internal IP>] Verifying client data using KRB5 GSS-API , referer: http://uvw.realm.com/ theme/css/main.css?...
[Thu Jan 17 09:29:01 2014] [debug] src/mod_auth_kerb.c(1401): [client < VPN Internal IP>] Client delegated us their credential, referer: http://uvw.realm.com/ theme/css/main.css?...
[Thu Jan 17 09:29:01 2014] [debug] src/mod_auth_kerb.c(1420): [client < VPN Internal IP>] GSS-API token of length 22 bytes will be sent back, referer: http://uvw.realm.com/ theme/css/main.css?... 

.....aso..... 

It's just like if firefox have to give the ticket to the Apache for each element that have to be loaded in the browser (css, images, js, ...). So the page take at least 5 minutes to be completely loaded. 

@Robert: I already tried your solution B) but I think that doesn't work for me. To access to the KDC, I have to open a SSL Network Extender (Checkpoint SNX) in my browser. So I need to be logged on my computer as a local user and not as a member of a domain or realm or whatever. Then I open the SNX applet (from the browser) and the next step is to get the initial ticket. So I used the ksetup to get the same configuration as a krb5.conf in Linux. 

Then I tried to switch the current user (test1\test1) to REALM.COM\test1 (where test1 is my local user name). On the KDC log file, I see: 

Jan 17 11:31:09 xyz.realm.com krb5kdc[1767](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) <VPN Internal IP>: ISSUE: authtime 1389954669, etypes {rep=18 tkt=18 ses=18}, test1 at REALM.COM for krbtgt/REALM.COM at REALM.COM
Jan 17 11:31:10 xyz.realm .com krb5kdc[1767](info): TGS_REQ (5 etypes {18 17 23 24 -135}) <VPN Internal IP> : ISSUE: authtime 1389954669, etypes {rep=18 tkt=18 ses=18}, test1 at REALM.COM for host/test1.realm.com at REALM.COM 

So it seems I have a ticket, right? How could I see this ticket? Then if I try to access to uvw.realm.com, nothing append. The only line that appears on the Apache log if 'network.auth.use-sspi=false' is the first one: 

[Thu Jan 17 11:40:43 2014] [debug] src/mod_auth_kerb.c(1628): [client <VPN Internal IP>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos 

Apparently, the kerberized application doesn't try to get credentials in this case. If 'network.auth.use-sspi=true' (default value), then I get the same issue than before: 

[Fri Jan 17 11:54:24 2014] [debug] src/mod_auth_kerb.c(1628): [client <VPN Internal IP> ] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Jan 17 11:54:24 2014] [debug] src/mod_auth_kerb.c(1240): [client <VPN Internal IP> ] Acquiring creds for HTTP/uvw.realm.com at REALM.COM
[Fri Jan 17 11:54:24 2014] [debug] src/mod_auth_kerb.c(1385): [client <VPN Internal IP> ] Verifying client data using KRB5 GSS-API
[Fri Jan 17 11:54:24 2014] [debug] src/mod_auth_kerb.c(1401): [client <VPN Internal IP> ] Client didn't delegate us their credential
[Fri Jan 17 11:54:24 2014] [debug] src/mod_auth_kerb.c(1429): [client <VPN Internal IP> ] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Fri Jan 17 11:54:24 2014] [debug] src/mod_auth_kerb.c(1101): [client <VPN Internal IP> ] GSS-API major_status:00010000, minor_status:00000000
[Fri Jan 17 11:54:24 2014] [error] [client <VPN Internal IP> ] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error) 

Do you think that putting the KDC outside of the VPN will improve the performance? It seems that it's the communication between the client and the kerberized application (with Apache) that take so much time. Or is there an option for the KDC? Forwardable? I don't know... 

Regards, 
Morgan 