Hi all
I installed an Apache Webserver. Now I would like to add SSO for the website.
Config:
/usr/local/etc/apache22/httpd.conf
I created the key tab file as follows:
The /usr/local/etc/apache22/http_webserver.keytab has the permission 444 and is owned by root. After everything is working I change the ownership to www.
If I run kinit loginuser and type the password I can see with klist:
But when I want to login via the website I get the following logs:
Thanks for any help.
I installed an Apache Webserver. Now I would like to add SSO for the website.
Config:
/usr/local/etc/apache22/httpd.conf
Code:
<Directory "/usr/local/www/apache22/data">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Kerberos
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
Krb5Keytab /usr/local/etc/apache22/http_webserver.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
</Directory>I created the key tab file as follows:
Code:
C:>ktpass -princ HTTP/webserver.domain.com@DOMAIN.COM -mapuser DOMAIN\user -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set
+desonly -pass user -out http_webserver.keytab
Targeting domain controller: dc.domain.com
Successfully mapped HTTP/webserver.domain.com to webserver.
Password succesfully set!
Key created.
Output keytab to http_webserver.keytab:
Keytab version: 0x502
keysize 60 HTTP/webserver.comain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 e
type 0x3 (DES-CBC-MD5) keylength 8 (0x16794fd3e6f49292)
Account webserver has been set for DES-only encryption.The /usr/local/etc/apache22/http_webserver.keytab has the permission 444 and is owned by root. After everything is working I change the ownership to www.
If I run kinit loginuser and type the password I can see with klist:
Code:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: loginuser@DOMAIN.COM
Issued Expires Principal
Aug 27 14:50:58 Aug 28 00:50:57 krbtgt/DOMAIN.COM@DOMAIN.COMBut when I want to login via the website I get the following logs:
Code:
[Sat Aug 27 14:47:49 2011] [debug] src/mod_auth_kerb.c(1628): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(1628): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(994): [client xxx.xxx.xxx.xxx] Using HTTP/webserver.domain.com@DOMAIN.COM as server
principal for password verification
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(698): [client xxx.xxx.xxx.xxx] Trying to get TGT for user loginuser@DOMAIN.COM
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(609): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal
HTTP/webserver.domain.com@DOMAIN.COM
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(624): [client xxx.xxx.xxx.xxx] krb5_get_credentials() failed when verifying KDC
[Sat Aug 27 14:47:54 2011] [error] [client 192.168.40.240] failed to verify krb5 credentials: KDC has no support for encryption type
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(1073): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
authtype=(NULL)
[Sat Aug 27 14:47:56 2011] [debug] src/mod_auth_kerb.c(1628): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type KerberosThanks for any help.