Re: spnego - Kerberos

This is a discussion on Re: spnego - Kerberos ; On Sun, Aug 17, 2008 at 3:35 AM, yuval wrote: > Hi All > > I have web server that required authentication. > It does so by returning 401 www-authenticate: negotiate. > IE (FF too) sends Kerberos ticket to authenticate. ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: spnego

  1. Re: spnego

    On Sun, Aug 17, 2008 at 3:35 AM, yuval wrote:
    > Hi All
    >
    > I have web server that required authentication.
    > It does so by returning 401 www-authenticate: negotiate.
    > IE (FF too) sends Kerberos ticket to authenticate.
    >
    > When client (or client machine) is not from domain, IE popup for credential
    > and create NTLMSSP blob.
    >
    > Is any way to continue the negotiation with the IE before it pops up the
    > NTLM credential to user? May be by sending spengo option?


    See "Issue 3" in the Plexcel Operators Manual on the Support page of
    the website in my signature. It outlines all of the reasons for
    browsers not doing Kerberos (obviously if you are not using Plexcel
    you will need to ignore any product specific references but getting
    browsers to do Kerberos is pretty much the same regardless of what you
    are using on the server side).

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

  2. Re: spnego

    Michael B Allen wrote:
    > On Sun, Aug 17, 2008 at 3:35 AM, yuval wrote:
    >> Hi All
    >>
    >> I have web server that required authentication.
    >> It does so by returning 401 www-authenticate: negotiate.
    >> IE (FF too) sends Kerberos ticket to authenticate.
    >>
    >> When client (or client machine) is not from domain, IE popup for credential
    >> and create NTLMSSP blob.
    >>
    >> Is any way to continue the negotiation with the IE before it pops up the
    >> NTLM credential to user? May be by sending spengo option?

    >
    > See "Issue 3" in the Plexcel Operators Manual on the Support page of
    > the website in my signature. It outlines all of the reasons for
    > browsers not doing Kerberos (obviously if you are not using Plexcel
    > you will need to ignore any product specific references but getting
    > browsers to do Kerberos is pretty much the same regardless of what you
    > are using on the server side).
    >
    > Mike
    >

    Hi!

    I have been struggling with the same problem (with apache &
    mod_auth_kerb). For me it seems that there really isn't a foolproof way
    to completely avoid getting NTLMSSP blobs from clients.

    I wonder is there a way to perform the login using NTLMSSP data?

    Cheers,
    Tuomas

  3. Re: spnego

    On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:

    > I have been struggling with the same problem (with apache &
    > mod_auth_kerb). For me it seems that there really isn't a foolproof
    > way
    > to completely avoid getting NTLMSSP blobs from clients.
    >
    > I wonder is there a way to perform the login using NTLMSSP data?


    You can try with mod-auth-ntlm-winbind:
    http://viewcvs.samba.org/cgi-bin/vie...?root=lorikeet

    --
    Simo Sorce * Red Hat, Inc * New York


  4. Re: spnego

    Simo Sorce wrote:
    > On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:
    >
    >> I have been struggling with the same problem (with apache &
    >> mod_auth_kerb). For me it seems that there really isn't a foolproof
    >> way
    >> to completely avoid getting NTLMSSP blobs from clients.
    >>
    >> I wonder is there a way to perform the login using NTLMSSP data?

    >
    > You can try with mod-auth-ntlm-winbind:
    > http://viewcvs.samba.org/cgi-bin/vie...?root=lorikeet
    >


    Thanks for the info, I will try it as soon as I can get another test
    server to use since it's not possible to use both mod_auth_kerb and
    mod_auth_ntlm_winbind on the same server.

    I also found out using wireshark what Internet Explorer does when it
    fails to authenticate using Kerberos. It asks a ticket from the Active
    Directory server for HTTP/virtualhost.domain.com instead of
    HTTP/realname.domain.com. For me this seems like a bug in IE7, has
    anyone found solutions for this?

    Cheers,
    Tuomas

  5. Re: spnego

    On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
    wrote:
    > I also found out using wireshark what Internet Explorer does when it
    > fails to authenticate using Kerberos. It asks a ticket from the Active
    > Directory server for HTTP/virtualhost.domain.com instead of
    > HTTP/realname.domain.com. For me this seems like a bug in IE7, has
    > anyone found solutions for this?


    That's not a bug. You will need to add SPNs to the desired account
    (using setspn) for each virtual hostname.

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

  6. Re: spnego

    Michael B Allen wrote:
    > On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
    > wrote:
    >> I also found out using wireshark what Internet Explorer does when it
    >> fails to authenticate using Kerberos. It asks a ticket from the Active
    >> Directory server for HTTP/virtualhost.domain.com instead of
    >> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
    >> anyone found solutions for this?

    >
    > That's not a bug. You will need to add SPNs to the desired account
    > (using setspn) for each virtual hostname.


    I see, just can't understand why this is happening occasionally. At
    least it makes things harder.

    Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still
    didn't work as they should. Now i apache's error.log I get:
    gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
    may provide more information (Key table entry not found)

    I understand that I should have also virtualhost.domain.com defined in
    my keytab, just don't have any idea how to do that.

    Thanks for all the help!
    -Tuomas

  7. Re: spnego

    On Tue, Sep 16, 2008 at 4:15 PM, Tuomas wrote:
    > Michael B Allen wrote:
    >> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
    >> wrote:
    >>> I also found out using wireshark what Internet Explorer does when it
    >>> fails to authenticate using Kerberos. It asks a ticket from the Active
    >>> Directory server for HTTP/virtualhost.domain.com instead of
    >>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
    >>> anyone found solutions for this?

    >>
    >> That's not a bug. You will need to add SPNs to the desired account
    >> (using setspn) for each virtual hostname.

    >
    > I see, just can't understand why this is happening occasionally. At
    > least it makes things harder.
    >
    > Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still
    > didn't work as they should. Now i apache's error.log I get:
    > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
    > may provide more information (Key table entry not found)
    >
    > I understand that I should have also virtualhost.domain.com defined in
    > my keytab, just don't have any idea how to do that.


    Actually I think I might know why you're getting an error (I don't
    know a lot about mod_auth_kerb - I know a lot more about what is
    possible protocol-wise as opposed to what mod_auth_kerb can do).

    A keytab file can have multiple principals (SPNs in this case). For
    example, our Plexcel product automatically generates a keytab with all
    of the SPNs set on the HTTP service account. But now that I think
    about it, because mod_auth_kerb relies on ktpass.exe to generate the
    keytab file, and because ktpass can only generate the said keytab file
    with one principal, it has to be that one SPN you want to use.

    Meaning I suspect you have to run ktpass to generate a keytab file
    *with the specific SPN* you want to use.

    You might want to bring your problem to the mod_auth_kerb mailing
    list. They would certainly know better than I how to set this up. I'm
    happy to give you my best guess here but again, I'm not terribly
    familiar with mod_auth_kerb's nuances.

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

+ Reply to Thread