Kerberos Digest, Vol 190, Issue 10

Todd Grayson tgrayson at cloudera.com
Mon Oct 22 09:58:34 EDT 2018


Sanjay this is confusing for you to reply to the kerberos digest email with
your own issue.  Create a new email with its own subject for your question.

Please send an email directly to the kerberos at mit.wsu list.

On Mon, Oct 22, 2018, 7:52 AM Sanjay Kumar Sahu <sanjaysahu.online at gmail.com>
wrote:

> HI !
>
> Currently we are facing Kerberos authentication issue in our RHEL7 server
> running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously
> it's Crypto type=all. Please check following with the details.
>
> We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application
> MediaWiki 1.30.0 running in Apache/2.4
> And we never face any issue related to kerberos authentication till then we
> used the keytab with following cipher algorithm in the encryption method.
> (des-cbc-crc)
> (des-cbc-md5)
> (aes256-cts-hmac-sha1-96)
> (aes128-cts-hmac-sha1-96)
>
> Later, the DES crypto type is catagoried in weak crypto type and it's
> denied to use in Produciton for security reason.
>
> And we are asked to use the keytab using Advanced Encryption Standard (AES)
> Cryptography with either of types (AES128 or AES265) for following cipher
> algorithm.
>
> (aes256-cts-hmac-sha1-96)
> (aes128-cts-hmac-sha1-96)
>
> But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
> or AES265) are working under Apache/2.4 and throws following error in HTTPD
> server Error_log.
>
>
> Error_log
> -----------------
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
> provide more information (, No key table entry found for the SPN)
>
> Please let us know if there is any solution to resolve the issue for
> kerberos.
>
> On Sun, Oct 21, 2018 at 9:32 PM <kerberos-request at mit.edu> wrote:
>
> > Send Kerberos mailing list submissions to
> >         kerberos at mit.edu
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://mailman.mit.edu/mailman/listinfo/kerberos
> > or, via email, send a message with subject or body 'help' to
> >         kerberos-request at mit.edu
> >
> > You can reach the person managing the list at
> >         kerberos-owner at mit.edu
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Kerberos digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Make Windows Firefox Use Ticket gained via OpenConnect VPN
> >       Connection (chiasa.men)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sat, 20 Oct 2018 22:09:57 +0200
> > From: "chiasa.men" <chiasa.men at web.de>
> > Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN
> >         Connection
> > To: kerberos at mit.edu
> > Message-ID: <25678829.3fpAYYNG7q at march>
> > Content-Type: text/plain; charset="utf-8"
> >
> > I have an openconnect server where I can login with kerberos credentials
> > (the
> > vpn server basically also works as proxy to the kdc within said vpn -
> more
> > detailed description:
> https://access.redhat.com/blogs/766093/posts/1976663
> > )
> >
> > Now I can connect with a windows machine (using openconnect-gui) with my
> > kerberos credentials. Which works.
> >
> > The next step shall be to use the gained ticket further for webservices
> > within
> > that vpn. How can I tell the browser (e.g. Firefox) to use the ticket
> > gained
> > by openconnect? Is there any way to achieve this?
> >
> > I also installed the MIT Kerberos Ticket Manager for Windows. Here
> > (https://
> >
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> > windows-workstation-to-hd.html
> > <
> http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html
> >)
> > is desribed that it is possible to use that
> > Manager with firefox in order to authenticate to webservices. Although I
> > haven't been able to accomplish that, would it be possible to tell MIT
> > Kerberos Ticket Manager to use the Ticket of the vpn login?
> >
> > Is there already a 'usual way' to achieve something like sso via vpn with
> > kerberos with windows clients?
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Kerberos mailing list
> > Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > End of Kerberos Digest, Vol 190, Issue 10
> > *****************************************
> >
>
>
> --
> *Thanks & Regards,*
>
>
> *Sanjay Kumar Sahu*
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list