Issue on Windows 7 with MSLSA?

Martin Schubert the at martinschubert.eu
Tue Jul 1 15:31:33 EDT 2014


Hi all,
I have a Kerberos server and Apache running on Linux and am trying to
access the Apache from a Windows 7 box with Firefox. I'm using Heimdal
1.6.2.0 and netidmgr 2.0.102.907 and have configured
network.negotiat-auth.trusted-uris and network.negotiat-auth.trusted-uris
to my Apache and hostname network.auth.use-sspi = false in Firefox.
My krb5.conf looks like this:

[libdefaults]
 default_realm = DOMAIN.LOCAL
 forwardable = true
 proxiable = true
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac

[realms]
 DOMAIN.LOCAL = {
  kdc = infa.domain.local:88
  admin_server = infa.domain.local:749
}

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

I can obtain credentials in netidmgr without any error, but when I'm trying
to open the website in Firefox, I just keep getting the obtain credentials
windows popping up for 4 times! Please find the netidmgr  log below

21:19:58.483 [47] Begin: Obtaining new credentials
21:19:58.488 [47] End
21:20:07.347 [48] Begin: Obtaining new credentials for
Administrator at DOMAIN.LOCAL
21:20:07.347 10184[48] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:07.347 10184[48] Debug(1): Queuing credtype Kerberos v5(1) for
processing
21:20:07.347 10184[48] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:07.347 [49] Begin: Obtaining initial Kerberos v5 tickets (child of
[48])
21:20:07.347 2568[49] Debug(1): Confirming k5_kinit_task [00000000023AF120]
for principal [Administrator at DOMAIN.LOCAL]
21:20:07.370 2568[49] Debug(1): Tickets successfully acquired
21:20:07.370 2568[49] Debug(1): Found CCache [API:Administrator at DOMAIN.LOCAL]
for identity [Administrator at DOMAIN.LOCAL]
21:20:07.371 2568[49] Debug(1): Getting tickets from cache
[API:Administrator at DOMAIN.LOCAL]
21:20:07.371 2568[49] Debug(1): Found principal [Administrator at DOMAIN.LOCAL]
21:20:07.371 2568[49] Debug(1): Ticket [krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL]
21:20:07.372 [DBG] cc_mslsa: GetMSTGT KerbRetrieveEncodedTicketMessage
failed (2)
21:20:07.371 2568[49] Debug(1): Setting properties for identity (count=1)
21:20:07.372 [DBG] cc_mslsa: krb5_lcc_resolve GetMSTGT failed
21:20:07.372 2568[49] Info:(Krb5) krb5_cc_resolve() failed. No credentials
cache file found (Code=195)
21:20:07.373 2568[49] Debug(1): Attempting to synchronize default identity
into MSLSA:
21:20:07.374 [DBG] cc_mslsa: GetMSTGT KerbRetrieveEncodedTicketMessage
failed (2)
21:20:07.374 [DBG] cc_mslsa: krb5_lcc_resolve GetMSTGT failed
21:20:07.373 2568[49] Debug(1): Trying to copy CC
API:Administrator at DOMAIN.LOCAL to MSLSA:
21:20:07.374 2568[49] Info:(Krb5) krb5_cc_resolve() for dest failed. No
credentials cache file found (Code=195)
21:20:07.374 [49] End
21:20:07.374 2568[48] Info:(Krb5) krb5_cc_resolve() for dest failed. No
credentials cache file found (Code=195)
21:20:07.374 10112[48] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:07.374 10112[48] Debug(1): Skipping credtype Kerberos v5(1).  Marked
as processed
21:20:07.374 10112[48] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:07.374 10112[48] Debug(1): Done with processing
21:20:07.378 [48] End
21:20:07.395 [DBG] cc_mslsa: GetMSTGT KerbRetrieveEncodedTicketMessage
failed (2)
21:20:07.395 [DBG] cc_mslsa: krb5_lcc_resolve GetMSTGT failed
21:20:07.405 [50] Begin: Obtaining new credentials
21:20:07.410 [50] End
21:20:11.773 [51] Begin: Obtaining new credentials for
Administrator at DOMAIN.LOCAL
21:20:11.773 10184[51] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:11.773 10184[51] Debug(1): Queuing credtype Kerberos v5(1) for
processing
21:20:11.773 [52] Begin: Obtaining initial Kerberos v5 tickets (child of
[51])
21:20:11.773 2568[52] Debug(1): Cancelling
21:20:11.773 2568[52] Debug(1): Aborting k5_kinit_task [00000000023A9B60]
for principal [Administrator at DOMAIN.LOCAL]
21:20:11.773 [52] End
21:20:11.773 10184[51] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:11.773 2568[51] Debug(1): Aborting k5_kinit_task [00000000023A9B60]
for principal [Administrator at DOMAIN.LOCAL]
21:20:11.774 10112[51] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:11.774 10112[51] Debug(1): Skipping credtype Kerberos v5(1).  Marked
as processed
21:20:11.774 10112[51] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:11.774 10112[51] Debug(1): Done with processing
21:20:11.776 [51] End
21:20:11.808 [DBG] cc_mslsa: GetMSTGT KerbRetrieveEncodedTicketMessage
failed (2)
21:20:11.808 [DBG] cc_mslsa: krb5_lcc_resolve GetMSTGT failed
21:20:11.818 [53] Begin: Obtaining new credentials
21:20:11.825 [53] End
21:20:12.374 [54] Begin: Refreshing timers
21:20:12.374 10184[54] Debug(1):(NetIDMgr) Starting with 2 timers
21:20:12.374 10184[54] Debug(1): Looking at cred
[krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL]
21:20:12.374 10184[54] Debug(1): Updating identity marker timer for
[Administrator at DOMAIN.LOCAL].  Expires at (unspecified)
21:20:12.374 10184[54] Debug(1): Updating identity timers ...
21:20:12.374 10184[54] Debug(1): Updating identity renewal timer for
[Administrator at DOMAIN.LOCAL].  Expires at Mittwoch, 2. Juli 2014 02:20:07
21:20:12.374 10184[54] Debug(1): Skipping credential.  Credential
expiration is too close to the identity expiration
21:20:12.375 [55] Begin: Checking for expired timers (child of [54])
21:20:12.375 [55] End
21:20:12.374 10184[54] Debug(1):(NetIDMgr) Leaving with 2 timers
21:20:12.375 10184[54] (NetIDMgr) Checking for expired timers
21:20:12.375 [54] End
21:20:13.794 [56] Begin: Obtaining new credentials for
Administrator at DOMAIN.LOCAL
21:20:13.794 10184[56] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:13.794 10184[56] Debug(1): Queuing credtype Kerberos v5(1) for
processing
21:20:13.794 10184[56] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:13.794 [57] Begin: Obtaining initial Kerberos v5 tickets (child of
[56])
21:20:13.795 2568[57] Debug(1): Cancelling
21:20:13.795 2568[57] Debug(1): Aborting k5_kinit_task [0000000002397890]
for principal [Administrator at DOMAIN.LOCAL]
21:20:13.795 [57] End
21:20:13.795 2568[56] Debug(1): Aborting k5_kinit_task [0000000002397890]
for principal [Administrator at DOMAIN.LOCAL]
21:20:13.795 10112[56] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:13.795 10112[56] Debug(1): Skipping credtype Kerberos v5(1).  Marked
as processed
21:20:13.795 10112[56] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:13.795 10112[56] Debug(1): Done with processing
21:20:13.798 [56] End
21:20:13.837 [DBG] cc_mslsa: GetMSTGT KerbRetrieveEncodedTicketMessage
failed (2)
21:20:13.837 [DBG] cc_mslsa: krb5_lcc_resolve GetMSTGT failed
21:20:13.842 [58] Begin: Obtaining new credentials
21:20:13.848 [58] End
21:20:14.539 [59] Begin: Obtaining new credentials for
Administrator at DOMAIN.LOCAL
21:20:14.539 10184[59] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:14.539 10184[59] Debug(1): Queuing credtype Kerberos v5(1) for
processing
21:20:14.539 [60] Begin: Obtaining initial Kerberos v5 tickets (child of
[59])
21:20:14.539 2568[60] Debug(1): Cancelling
21:20:14.539 2568[60] Debug(1): Aborting k5_kinit_task [00000000023A8350]
for principal [Administrator at DOMAIN.LOCAL]
21:20:14.540 [60] End
21:20:14.539 10184[59] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:14.539 2568[59] Debug(1): Aborting k5_kinit_task [00000000023A8350]
for principal [Administrator at DOMAIN.LOCAL]
21:20:14.541 10112[59] Debug(1): Preparing to dispatch batch of
KMSG_CRED_PROCESS messages
21:20:14.541 10112[59] Debug(1): Skipping credtype Kerberos v5(1).  Marked
as processed
21:20:14.541 10112[59] Debug(1): Skipping credtype KeyStore(2).  Marked as
disabled
21:20:14.541 10112[59] Debug(1): Done with processing
21:20:14.543 [59] End
21:20:14.577 [DBG] cc_mslsa: GetMSTGT KerbRetrieveEncodedTicketMessage
failed (2)
21:20:14.578 [DBG] cc_mslsa: krb5_lcc_resolve GetMSTGT failed

Can anyone please help me trying to figure out what is wrong? Thank you!


More information about the Kerberos mailing list