[38364] in Kerberos
Re: Kerberos Digest, Vol 190, Issue 10
daemon@ATHENA.MIT.EDU (Sanjay Kumar Sahu)
Mon Oct 22 09:49:50 2018
MIME-Version: 1.0
In-Reply-To: <mailman.301.1540137675.7465.kerberos@mit.edu>
From: Sanjay Kumar Sahu <sanjaysahu.online@gmail.com>
Date: Mon, 22 Oct 2018 19:18:23 +0530
Message-ID: <CAJfJP0oEu-gGjgreCTKBU5+RPgkzmX691qf8cAWtGR4sf0yk-g@mail.gmail.com>
To: kerberos@mit.edu, kerberos-owner@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
HI !
Currently we are facing Kerberos authentication issue in our RHEL7 server
running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously
it's Crypto type=all. Please check following with the details.
We are using mod_auth_kerb on Red Hat Enterprise Linux for our application
MediaWiki 1.30.0 running in Apache/2.4
And we never face any issue related to kerberos authentication till then we
used the keytab with following cipher algorithm in the encryption method.
(des-cbc-crc)
(des-cbc-md5)
(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)
Later, the DES crypto type is catagoried in weak crypto type and it's
denied to use in Produciton for security reason.
And we are asked to use the keytab using Advanced Encryption Standard (AES)
Cryptography with either of types (AES128 or AES265) for following cipher
algorithm.
(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)
But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
or AES265) are working under Apache/2.4 and throws following error in HTTPD
server Error_log.
Error_log
-----------------
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
provide more information (, No key table entry found for the SPN)
Please let us know if there is any solution to resolve the issue for
kerberos.
On Sun, Oct 21, 2018 at 9:32 PM <kerberos-request@mit.edu> wrote:
> Send Kerberos mailing list submissions to
> kerberos@mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help' to
> kerberos-request@mit.edu
>
> You can reach the person managing the list at
> kerberos-owner@mit.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Kerberos digest..."
>
>
> Today's Topics:
>
> 1. Make Windows Firefox Use Ticket gained via OpenConnect VPN
> Connection (chiasa.men)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 Oct 2018 22:09:57 +0200
> From: "chiasa.men" <chiasa.men@web.de>
> Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN
> Connection
> To: kerberos@mit.edu
> Message-ID: <25678829.3fpAYYNG7q@march>
> Content-Type: text/plain; charset="utf-8"
>
> I have an openconnect server where I can login with kerberos credentials
> (the
> vpn server basically also works as proxy to the kdc within said vpn - more
> detailed description: https://access.redhat.com/blogs/766093/posts/1976663
> )
>
> Now I can connect with a windows machine (using openconnect-gui) with my
> kerberos credentials. Which works.
>
> The next step shall be to use the gained ticket further for webservices
> within
> that vpn. How can I tell the browser (e.g. Firefox) to use the ticket
> gained
> by openconnect? Is there any way to achieve this?
>
> I also installed the MIT Kerberos Ticket Manager for Windows. Here
> (https://
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> windows-workstation-to-hd.html
> <http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html>)
> is desribed that it is possible to use that
> Manager with firefox in order to authenticate to webservices. Although I
> haven't been able to accomplish that, would it be possible to tell MIT
> Kerberos Ticket Manager to use the Ticket of the vpn login?
>
> Is there already a 'usual way' to achieve something like sso via vpn with
> kerberos with windows clients?
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 190, Issue 10
> *****************************************
>
--
*Thanks & Regards,*
*Sanjay Kumar Sahu*
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
