Beginner Kerberos question - problem with spnego authentication with webserver

JSoet jordan.soet at ca.ibm.com
Wed Jun 22 18:41:19 EDT 2016


I'm trying to modify a webserver that I work on to do SPNEGO authentication
with an Active Directory server. In preparation for that I've set up 2
machines to test the authentication and I thought I'd try and use an
existing simple webserver to check that I have them set up correctly before
I start modifying my webserver, so I'm trying to test it using the
flask-kerberos project: https://flask-kerberos.readthedocs.io/en/latest/ 

Unfortunately, it seems that there's a problem with the setup and I'm not
sure where to look next to solve it. When running the flask webserver I get
this error when it tries to do the authGSSServerInit call: 
/GSSError: (('Unspecified GSS failure.  Minor code may provide more
information', 851968), ('', 100004))/

My setup is I have 3 machines - 1 Windows Server with Active Directory
installed and a couple users set up, and a user and SPN set for the
webserver.  Then a CentOS machine with the webserver on it and a windows 7
machine that's on the AD domain with an authenticated user. When I try and
authenticate from the windows 7 machine to the /protected page created by
the flask webserver then I get the message above. 

>From what I can tell my krb5.conf is configured correctly, I can run kinit
with a couple different usernames and they seem to work fine. 

/[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TEST.LOCAL = {
  kdc = WIN-KBRA593O67I.Test.local
  admin_server = WIN-KBRA593O67I.Test.local
 }

[domain_realm]
 .Test.local = TEST.LOCAL
 Test.local = TEST.LOCAL/

And I think my keytab file is ok. If I run klist -k I get the following
output

/[root at TestCentOSGui testFlask]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 HTTP/TestCentOSGui.Test.local at TEST.LOCAL/

And I can do kinit with the service principal with kinit -k, and afterwards
klist shows the ticket:

/root at TestCentOSGui testFlask]# kinit HTTP/TestCentOSGui.Test.local -k

root at TestCentOSGui testFlask]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/TestCentOSGui.Test.local at TEST.LOCAL

Valid starting     Expires            Service principal
06/22/16 15:02:12  06/23/16 01:02:16  krbtgt/TEST.LOCAL at TEST.LOCAL
	renew until 06/29/16 15:02:12/

I'm hoping that there's something simple that I'm missing, but I'm not
really sure where to look or what to try next, so any advice would be
welcome.



--
View this message in context: http://kerberos.996246.n3.nabble.com/Beginner-Kerberos-question-problem-with-spnego-authentication-with-webserver-tp45585.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list