[24025] in Kerberos
RE: kerberos authentication for apache on windows
daemon@ATHENA.MIT.EDU (Julien ALLANOS)
Mon Jun 6 04:12:30 2005
Message-ID: <20050606091227.sb8cnjqejxa8c0w4@webmail.aql.fr>
Date: Mon, 6 Jun 2005 09:12:27 +0200
From: Julien ALLANOS <julien.allanos@aql.fr>
To: kerberos@mit.edu
In-Reply-To: <OFFDE77C41.3E28F287-ON85257015.0062F9EB-85257015.0064D5DB@db.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset=UTF-8;
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Selon Frank Balluffi <frank.balluffi@db.com>:
>
> For IE, follow the directions on
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
> (I think someone has already made this point), including shutting down ALL
> instances of IE and restarting IE.
>
> Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
> I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).
>
> I have seen IE send NTLM tokens under the following circumstances:
>
> 1. web server sends IE the following:
>
> HTTP/1.1 401 Authorization Required
> ...
> WWW-Authenticate: NTLM
> ...
>
> 2. IE is NOT configured as above and web server sends IE the following:
>
> HTTP/1.1 401 Authorization Required
> ...
> WWW-Authenticate: Negotiate
> ...
>
> mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
> mod_spnego, read Microsoft's directions very carefully.
>
> Sniff the following traffic:
>
> HTTP between IE and web server (usually port 80)
> Kerberos between IE and KDC (usually port 88)
>
> Frank
>
I am now facing to the following problem: browsers don't send NTLM tokens
anymore but SPNEGO tokens (I believe). I don't really know what I did to make
it work, but heh, it works. That's good. However, I get internal server errors
from the web server. Actually I think mod_spnego couldn't find the
keytab. So I
copied the keytab file to C:\WINDOWS\krb5kt as stated in mod_spengo's README
file. I am now getting this:
[Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
gss_acquire_cred failed; GSS-API: Miscellaneous failure)
[Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
gss_acquire_cred failed; GSS-API mechanism: No principal in keytab matches
desired name)
> klist -k c:\WINDOWS\krb5kt
Keytab name: FILE:c:\WINDOWS\krb5kt
KVNO Principal
----
--------------------------------------------------------------------------
3 HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR
Any help please? Thanks.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
