Kerberos Digest, Vol 190, Issue 10

Mon Oct 22 09:48:23 EDT 2018

HI !

Currently we are facing Kerberos authentication issue in our RHEL7 server
running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously
it's Crypto type=all. Please check following with the details.

We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application
MediaWiki 1.30.0 running in Apache/2.4
And we never face any issue related to kerberos authentication till then we
used the keytab with following cipher algorithm in the encryption method.
(des-cbc-crc)
(des-cbc-md5)
(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

Later, the DES crypto type is catagoried in weak crypto type and it's
denied to use in Produciton for security reason.

And we are asked to use the keytab using Advanced Encryption Standard (AES)
Cryptography with either of types (AES128 or AES265) for following cipher
algorithm.

(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
or AES265) are working under Apache/2.4 and throws following error in HTTPD
server Error_log.

Error_log
-----------------
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
provide more information (, No key table entry found for the SPN)

Please let us know if there is any solution to resolve the issue for
kerberos.

On Sun, Oct 21, 2018 at 9:32 PM <kerberos-request at mit.edu> wrote:

> Send Kerberos mailing list submissions to
>         kerberos at mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help' to
>         kerberos-request at mit.edu
>
> You can reach the person managing the list at
>         kerberos-owner at mit.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Kerberos digest..."
>
>
> Today's Topics:
>
>    1. Make Windows Firefox Use Ticket gained via OpenConnect VPN
>       Connection (chiasa.men)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 Oct 2018 22:09:57 +0200
> From: "chiasa.men" <chiasa.men at web.de>
> Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN
>         Connection
> To: kerberos at mit.edu
> Message-ID: <25678829.3fpAYYNG7q at march>
> Content-Type: text/plain; charset="utf-8"
>
> I have an openconnect server where I can login with kerberos credentials
> (the
> vpn server basically also works as proxy to the kdc within said vpn - more
> detailed description: https://access.redhat.com/blogs/766093/posts/1976663
> )
>
> Now I can connect with a windows machine (using openconnect-gui) with my
> kerberos credentials. Which works.
>
> The next step shall be to use the gained ticket further for webservices
> within
> that vpn. How can I tell the browser (e.g. Firefox) to use the ticket
> gained
> by openconnect? Is there any way to achieve this?
>
> I also installed the MIT Kerberos Ticket Manager for Windows. Here
> (https://
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> windows-workstation-to-hd.html
> <http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html>)
> is desribed that it is possible to use that
> Manager with firefox in order to authenticate to webservices. Although I
> haven't been able to accomplish that, would it be possible to tell MIT
> Kerberos Ticket Manager to use the Ticket of the vpn login?
>
> Is there already a 'usual way' to achieve something like sso via vpn with
> kerberos with windows clients?
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 190, Issue 10
> *****************************************
>

-- 
*Thanks & Regards,*

*Sanjay Kumar Sahu*