Michael B Allen wrote:
> On Sun, Aug 17, 2008 at 3:35 AM, yuval wrote:
>> Hi All
>>
>> I have web server that required authentication.
>> It does so by returning 401 www-authenticate: negotiate.
>> IE (FF too) sends Kerberos ticket to authenticate.
>>
>> When client (or client machine) is not from domain, IE popup for credential
>> and create NTLMSSP blob.
>>
>> Is any way to continue the negotiation with the IE before it pops up the
>> NTLM credential to user? May be by sending spengo option?
>
> See "Issue 3" in the Plexcel Operators Manual on the Support page of
> the website in my signature. It outlines all of the reasons for
> browsers not doing Kerberos (obviously if you are not using Plexcel
> you will need to ignore any product specific references but getting
> browsers to do Kerberos is pretty much the same regardless of what you
> are using on the server side).
>
> Mike
>
Hi!

I have been struggling with the same problem (with apache &
mod_auth_kerb). For me it seems that there really isn't a foolproof way
to completely avoid getting NTLMSSP blobs from clients.

I wonder is there a way to perform the login using NTLMSSP data?

Cheers,
Tuomas

On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:

> I have been struggling with the same problem (with apache &
> mod_auth_kerb). For me it seems that there really isn't a foolproof
> way
> to completely avoid getting NTLMSSP blobs from clients.
>
> I wonder is there a way to perform the login using NTLMSSP data?

You can try with mod-auth-ntlm-winbind:
http://viewcvs.samba.org/cgi-bin/vie...?root=lorikeet

--
Simo Sorce * Red Hat, Inc * New York

Simo Sorce wrote:
> On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:
>
>> I have been struggling with the same problem (with apache &
>> mod_auth_kerb). For me it seems that there really isn't a foolproof
>> way
>> to completely avoid getting NTLMSSP blobs from clients.
>>
>> I wonder is there a way to perform the login using NTLMSSP data?
>
> You can try with mod-auth-ntlm-winbind:
> http://viewcvs.samba.org/cgi-bin/vie...?root=lorikeet
>

Thanks for the info, I will try it as soon as I can get another test
server to use since it's not possible to use both mod_auth_kerb and
mod_auth_ntlm_winbind on the same server.

I also found out using wireshark what Internet Explorer does when it
fails to authenticate using Kerberos. It asks a ticket from the Active
Directory server for HTTP/virtualhost.domain.com instead of
HTTP/realname.domain.com. For me this seems like a bug in IE7, has
anyone found solutions for this?

Cheers,
Tuomas

On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
wrote:
> I also found out using wireshark what Internet Explorer does when it
> fails to authenticate using Kerberos. It asks a ticket from the Active
> Directory server for HTTP/virtualhost.domain.com instead of
> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
> anyone found solutions for this?

That's not a bug. You will need to add SPNs to the desired account
(using setspn) for each virtual hostname.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Michael B Allen wrote:
> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
> wrote:
>> I also found out using wireshark what Internet Explorer does when it
>> fails to authenticate using Kerberos. It asks a ticket from the Active
>> Directory server for HTTP/virtualhost.domain.com instead of
>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
>> anyone found solutions for this?
>
> That's not a bug. You will need to add SPNs to the desired account
> (using setspn) for each virtual hostname.

I see, just can't understand why this is happening occasionally. At
least it makes things harder.

Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still
didn't work as they should. Now i apache's error.log I get:
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information (Key table entry not found)

I understand that I should have also virtualhost.domain.com defined in
my keytab, just don't have any idea how to do that.

Thanks for all the help!
-Tuomas

On Tue, Sep 16, 2008 at 4:15 PM, Tuomas wrote:
> Michael B Allen wrote:
>> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
>> wrote:
>>> I also found out using wireshark what Internet Explorer does when it
>>> fails to authenticate using Kerberos. It asks a ticket from the Active
>>> Directory server for HTTP/virtualhost.domain.com instead of
>>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
>>> anyone found solutions for this?
>>
>> That's not a bug. You will need to add SPNs to the desired account
>> (using setspn) for each virtual hostname.
>
> I see, just can't understand why this is happening occasionally. At
> least it makes things harder.
>
> Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still
> didn't work as they should. Now i apache's error.log I get:
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information (Key table entry not found)
>
> I understand that I should have also virtualhost.domain.com defined in
> my keytab, just don't have any idea how to do that.

Actually I think I might know why you're getting an error (I don't
know a lot about mod_auth_kerb - I know a lot more about what is
possible protocol-wise as opposed to what mod_auth_kerb can do).

A keytab file can have multiple principals (SPNs in this case). For
example, our Plexcel product automatically generates a keytab with all
of the SPNs set on the HTTP service account. But now that I think
about it, because mod_auth_kerb relies on ktpass.exe to generate the
keytab file, and because ktpass can only generate the said keytab file
with one principal, it has to be that one SPN you want to use.

Meaning I suspect you have to run ktpass to generate a keytab file
*with the specific SPN* you want to use.

You might want to bring your problem to the mod_auth_kerb mailing
list. They would certainly know better than I how to set this up. I'm
happy to give you my best guess here but again, I'm not terribly
familiar with mod_auth_kerb's nuances.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/