One more thing about my problem: If I use mozilla switched to MIT Kerberos I can access the WebServer. After doing that I have the correct ticket showing up in kerbtray. Still, IE or Mozilla with Microsoft Kerberos won't use that ticket.

Florian

> Hi again,
>
> I did what you suggested Mikkel, but it did not change anything, I still
> have the same problem.
> Any more ideas anyone?
>
> Florian
>
> > Hi
> >
> > I had some trouble finding out my self. So I ended up changing in
> > configure. Really stupid patch. Changes the check to reverse.
> >
> > /Mikkel
> >
> > --- ../BUILD/mod_auth_kerb-5.3/configure 2007-08-15
> > 08:36:07.000000000 +0200
> > +++ /home/mkj/mod_auth_kerb-5.3.orig/configure 2007-07-25
> > 11:38:20.000000000 +0200
> > @@ -3903,7 +3903,7 @@
> > ac_status=$?
> > echo "$as_me:$LINENO: \$? = $ac_status" >&5
> > (exit $ac_status); }; }; then
> > - if test $? -eq 1; then
> > + if test $? -eq 0; then
> > echo "$as_me:$LINENO: result: yes" >&5
> > echo "${ECHO_T}yes" >&6
> > cat >>confdefs.h <<\_ACEOF
> >
> >
> > On Wed, 2007-11-21 at 15:20 +0100, Florian.Dautermann@gmx.de wrote:
> >
> > > Hi Mikkel,
> > >
> > > thanks for the quick answer! Can you tell me how I switch to the

> > internal SPNEGO? I did not find any information about that on the

> project web page
> > nor on the internet.
> > >
> > > Thanks,
> > > Florian
> > >
> > > thanks
> > >
> > > > Hi Florian
> > > >
> > > > I had the same problem. There is an error in mod_auth_kerb when

> using
> > > > the system SPNEGO. You have to use the mod_auth_kerb internal

> SPNEGO.
> > > >
> > > > I was testing on RHEL5 and had to recompile with internal SPNEGO and

> > it
> > > > worked.
> > > >
> > > > /Mikkel
> > > >
> > > > On Wed, 2007-11-21 at 14:36 +0100, Florian Dautermann wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > I have a the following problem:
> > > > > Our KDC is a Windows 2003 AD Server with address "company.corp"
> > > > > which is also the name of the domain. We have an Apache
> > > > > Webserver running on an OpenSuse with mod_auth_kerb (5.3).
> > > > > Its name is "department.location.company.corp". It has a
> > > > > valid keytab file (for
> > > > > HTTP/department.location.company.corp@company.corp) with
> > > > > which it can get tickets. The WebServer is accessed via
> > > > "http://department.location.company.corp:1081/site".
> > > > >
> > > > > Some hosts can access the WebServer correctly.
> > > > >
> > > > > The other hosts who cannot access the WebServer are
> > > > > Windows XP Pro machines, hooked into the domain with a
> > > > > domain user logged on. Access is not possible via: IE6,
> > > > > IE7, Mozilla despite correct configuration (Integrated
> > > > > Windows Authentication is on, correct zone is set...).
> > > > > Access is possible via the following ways: running the
> > > > > browsers explicitly as the users domain account; using
> > > > > MIT Kerberos for Windows in combination with mozilla
> > > > > (switching network.auth.use-sspi to false). Kerbtray
> > > > > shows a TGT in the MSLSA cache.
> > > > >
> > > > > In case of a failure, Apache log shows that the client
> > > > > is sending an NTLM token. Network sniffers show, that
> > > > > there is no communication between the client and the KDC.
> > > > >
> > > > > One really funny thing about the whole thing is that
> > > > > the error appears exclusively if the user is in the local
> > > > > Administrators group. (User logs on; it is working; user
> > > > > is granted administrative rights; logs off and on again;
> > > > > it does not work). Removing the user from Administrator
> > > > > group again afterwards does not solve the problem.
> > > > >
> > > > > I guess somehow the Microsoft SSPI is the problem, but
> > > > > I do not know how to fix it.
> > > > >
> > > > > Any ideas or thoughts are appreciated.
> > > > >
> > > > > Thanks,
> > > > > Florian

> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos