[24027] in Kerberos
RE: kerberos authentication for apache on windows
daemon@ATHENA.MIT.EDU (Frank Balluffi)
Mon Jun 6 08:59:08 2005
In-Reply-To: <20050606091227.sb8cnjqejxa8c0w4@webmail.aql.fr>
To: "Julien ALLANOS <julien.allanos" <julien.allanos@aql.fr>
MIME-Version: 1.0
From: "Frank Balluffi" <frank.balluffi@db.com>
Message-ID: <OF0DD3EA66.30C0AE1E-ON85257018.0045B655-85257018.0047A2E2@db.com>
Date: Mon, 6 Jun 2005 08:58:00 -0400
Content-Type: text/plain; charset="US-ASCII"
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Julien ALLANOS said:
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API: Miscellaneous failure)
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API mechanism: No principal in keytab
matches
> desired name)
>
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
> 3 HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR
Sniff the traffic between the browser and the KDC (usually port 88 of the
KDC) and look at the service name in the HTTP ticket sent from the KDC to
the browser in the TGS-REP, which should equal a name in the keytab.
Also, I remember having difficulties using KRB5_KTNAME on Windows --
either it was not supported on Windows or did not support drive letters
(e.g., C:). There are two notes about KRB5_KTNAME in
mod_spnego/readme.txt.
Frank
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
