windows 2003 domain controller, mod_auth_kerb in linux, issue with kerberos

Ahmar Nauman ahmar_nauman at
Fri Jul 10 10:38:50 EDT 2009

 I'm using windows server 2003 as domain controller, 
i've succesfully followed all the necessary steps required for setting up an SSO, generated keytab files which gives me correct info if i type klist -k , integrated mod_auth_kerb and configured machines.
My browser setting are just fine as well, 

My httpd.conf is like
<Location /myURL>
  AuthType Kerberos
  AuthName "Test Kerberos Login"
  KrbVerifyKDC off # it doesn't work if i remove this line
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  Krb5KeyTab /etc/krb5.keytab
  KrbSaveCredentials On
  KrbServiceName HTTP
 require valid-user

Now when i tried to test from IE(v 6) it open a login box, if i supply username and password as setup in active directory, it allows me to enter. I dont want to get this login box, so if i change KrbMethodK5Passwd to Off, it simply refuses me to get in by Authorization Required message in browser and in apache logs, i get the following errors,

[Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1266): [client x.x.x.x] Verifying client data using KRB5 GSS-API
[Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1282): [client ......] Verification returned code 589824
[Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1309): [client ......] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Fri Jul 10 20:31:25 2009] [error] [client ......9] gss_accept_sec_context() failed: Invalid token was supplied (No error)

I'm trying to resolve this issue, but nothing work out so far.  
Can anybody please help here??

- Ahmar

Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!

More information about the krbdev mailing list