RE: kerberos authentication for apache on windows - Kerberos

This is a discussion on RE: kerberos authentication for apache on windows - Kerberos ; looks like your spnego is not requesting Kerberos tokens or windows xp client doesn't support Kerberos tokens. 1. you may want to configure win xp client, I guess you are using IE browser, as described in the link below http://msdn.microsoft.com/library/de.../en-us/dnsecur ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: RE: kerberos authentication for apache on windows

  1. RE: kerberos authentication for apache on windows

    looks like your spnego is not requesting Kerberos tokens or windows xp
    client doesn't support Kerberos tokens.

    1. you may want to configure win xp client, I guess you are using IE
    browser, as described in the link below

    http://msdn.microsoft.com/library/de.../en-us/dnsecur
    e/html/http-sso-1.asp

    2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to
    configure my apache webserver ( running on linux) successfully for
    SPNEGO with Kerberos authentication. you may want to add these lines to
    your conf file


    AuthType Kerberos
    KrbMethodNegotiate on
    ------ your rest of the stuff comes here -----


    3. Use network protocol analyzer tools (ethereal works for me) to see
    whats going on between KDC, client and server. You may want to run the
    tool on client as it talks to both KDC and server.


    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
    Behalf Of Julien ALLANOS
    Sent: Thursday, June 02, 2005 6:37 AM
    To: kerberos@mit.edu
    Subject: Re: kerberos authentication for apache on windows

    Selon Jeffrey Altman :

    > Julien ALLANOS wrote:
    >> Hello,
    >>
    >> I'm new to kerberos, and I want to know if the following

    configuration is
    >> possible:
    >>
    >> I have an Apache2 web server running on Windows 2003 Server, and I

    want to
    >> authenticate users with kerberos before they can access to the web

    server
    >> content. The kdc service seems to be up and running on the Windows
    >> 2003 server.
    >>
    >> 1/ how can I check that a client (Windows XP) that has just logged

    into the
    >> domain, has been given a TGT?

    >
    > If you want a visual indication, you can use:
    >
    > * the "klist" tool provided by Microsoft with Windows
    >
    > * the "kerbtray" tool provided by Microsoft in the Resource Kit
    >
    > * MIT Kerberos for Windows and its Leash Ticket Manager,
    >
    >> Now I have to "kerberize" the Apache server. I found mod_auth_krb
    >> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I

    need
    >> headers and libs for a Kerberos implementation.
    >>
    >> 2/ Can I use Windows implementation to compile it? Or do I have to

    install
    >> another Kerberos implementation (such as MIT for Windows 2.6.5) in

    order to
    >> build it?

    >
    > If you want to build an Apache module that uses the MIT Kerberos APIs,
    > you can build the module against the SDK that is installed as a part

    of
    > MIT Kerberos for Windows.
    >
    > Jeffrey Altman


    Thanks.

    I have installed kerbtray, and I can see the following tickets for
    MY.DOMAIN.COM:

    cifs/srv.my.domain.com
    krbtgt/MY.DOMAIN.COM (forwarded)
    krbtgt/MY.DOMAIN.COM (initial)
    ldap/srv.my.domain.com/my.domain.com

    So I suppose the krbtgt are the TGT. But why two tickets?

    I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5,
    fbopenssl,
    openssl and apache2. Then I've created a user in AD, and a
    corresponding keytab
    for HTTP/my.domain.com@MY.DOMAIN.COM.

    I'm using the following configuration for Apache:


    AuthType SPNEGO
    Krb5KeyTabFile conf/rp.HTTP.keytab
    Krb5ServiceName HTTP
    Require valid-user


    Here is a summary of an access to the web server:

    C -> GET / -> S
    C <- 401, WWW-Authenticate: Negotiate <- S

    C -> GET /, Authorization: Negotiate xxxxx -> S
    C <- 401 <- S

    Here are the last 3 lines of error.log:

    [Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
    entering
    authenticateUser
    [Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
    Authorization value is "Negotiate xxxxxx"
    [Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego:
    received
    type 1 NTLM token

    So what's wrong please? I really need to make Kerberos works, not NTLM.

    Thanks for any help.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. RE: kerberos authentication for apache on windows

    Selon "Kallapur, Madhusudan V" :

    > looks like your spnego is not requesting Kerberos tokens or windows xp
    > client doesn't support Kerberos tokens.


    Right. Both browsers (IE and Firefox) send the following Authorization header:

    Negotiate BASE64-encoded-NTLM (starts with NTLMSSP...)

    > 1. you may want to configure win xp client, I guess you are using IE
    > browser, as described in the link below
    >
    > http://msdn.microsoft.com/library/de.../en-us/dnsecur
    > e/html/http-sso-1.asp
    >


    Already configured IE to use SPNEGO. NTLM works well (using
    mod_auth_sspi on the
    Apache web server). For Firefox I've added the hostname of the web server to
    both network.negotiate-auth.trusted-uris and
    network.automatic-ntlm-auth.trusted-uris. For IE, my server is in the intranet
    zone and integrated Windows auth is enabled.

    > 2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to
    > configure my apache webserver ( running on linux) successfully for
    > SPNEGO with Kerberos authentication. you may want to add these lines to
    > your conf file
    >
    >
    > AuthType Kerberos
    > KrbMethodNegotiate on
    > ------ your rest of the stuff comes here -----
    >


    mod_auth_kerb isn't very portable to WIN32, that's why I'm using mod_spnego
    (that already has VC++ project files).

    >
    > 3. Use network protocol analyzer tools (ethereal works for me) to see
    > whats going on between KDC, client and server. You may want to run the
    > tool on client as it talks to both KDC and server.
    >


    I've just installed ethereal on the client, but I want to know which
    ports do I
    have to listen to to get KDC messages (cause a lot of packets are catched up
    without using a filter, and filtering on port 80 only isn't sufficient I
    believe to see dialogs between client SSPI layer and KDC. Actually, I have the
    same box for the client (web browser), the web server and the KDC, maybe the
    problem comes from that...

    So why my web browsers are sending NTLM tokens in the Authroziation header,
    instead of SPNEGO tokens?

    Thanks for your help.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. RE: kerberos authentication for apache on windows

    Julien ALLANOS said:

    > I've just installed ethereal on the client, but I want to know which
    > ports do I
    > have to listen to to get KDC messages (cause a lot of packets are

    catched up
    > without using a filter, and filtering on port 80 only isn't sufficient I
    > believe to see dialogs between client SSPI layer and KDC. Actually, I

    have the
    > same box for the client (web browser), the web server and the KDC, maybe

    the
    > problem comes from that...
    >
    > So why my web browsers are sending NTLM tokens in the Authroziation

    header,
    > instead of SPNEGO tokens?


    For IE, follow the directions on
    http://msdn.microsoft.com/library/de...http-sso-1.asp
    (I think someone has already made this point), including shutting down ALL
    instances of IE and restarting IE.

    Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
    I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).

    I have seen IE send NTLM tokens under the following circumstances:

    1. web server sends IE the following:

    HTTP/1.1 401 Authorization Required
    ....
    WWW-Authenticate: NTLM
    ....

    2. IE is NOT configured as above and web server sends IE the following:

    HTTP/1.1 401 Authorization Required
    ....
    WWW-Authenticate: Negotiate
    ....

    mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
    mod_spnego, read Microsoft's directions very carefully.

    Sniff the following traffic:

    HTTP between IE and web server (usually port 80)
    Kerberos between IE and KDC (usually port 88)

    Frank
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. RE: kerberos authentication for apache on windows

    Selon Frank Balluffi :

    >
    > For IE, follow the directions on
    > http://msdn.microsoft.com/library/de...http-sso-1.asp
    > (I think someone has already made this point), including shutting down ALL
    > instances of IE and restarting IE.
    >
    > Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
    > I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).
    >
    > I have seen IE send NTLM tokens under the following circumstances:
    >
    > 1. web server sends IE the following:
    >
    > HTTP/1.1 401 Authorization Required
    > ...
    > WWW-Authenticate: NTLM
    > ...
    >
    > 2. IE is NOT configured as above and web server sends IE the following:
    >
    > HTTP/1.1 401 Authorization Required
    > ...
    > WWW-Authenticate: Negotiate
    > ...
    >
    > mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
    > mod_spnego, read Microsoft's directions very carefully.
    >
    > Sniff the following traffic:
    >
    > HTTP between IE and web server (usually port 80)
    > Kerberos between IE and KDC (usually port 88)
    >
    > Frank
    >


    I am now facing to the following problem: browsers don't send NTLM tokens
    anymore but SPNEGO tokens (I believe). I don't really know what I did to make
    it work, but heh, it works. That's good. However, I get internal server errors
    from the web server. Actually I think mod_spnego couldn't find the
    keytab. So I
    copied the keytab file to C:\WINDOWS\krb5kt as stated in mod_spengo's README
    file. I am now getting this:

    [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
    gss_acquire_cred failed; GSS-API: Miscellaneous failure)
    [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
    gss_acquire_cred failed; GSS-API mechanism: No principal in keytab matches
    desired name)

    > klist -k c:\WINDOWS\krb5kt

    Keytab name: FILE:c:\WINDOWS\krb5kt
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    3 HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR

    Any help please? Thanks.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. RE: kerberos authentication for apache on windows

    Julien ALLANOS said:

    > [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
    > gss_acquire_cred failed; GSS-API: Miscellaneous failure)
    > [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
    > gss_acquire_cred failed; GSS-API mechanism: No principal in keytab

    matches
    > desired name)
    >
    > > klist -k c:\WINDOWS\krb5kt

    > Keytab name: FILE:c:\WINDOWS\krb5kt
    > KVNO Principal
    > ----
    >

    --------------------------------------------------------------------------
    > 3 HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR


    Sniff the traffic between the browser and the KDC (usually port 88 of the
    KDC) and look at the service name in the HTTP ticket sent from the KDC to
    the browser in the TGS-REP, which should equal a name in the keytab.

    Also, I remember having difficulties using KRB5_KTNAME on Windows --
    either it was not supported on Windows or did not support drive letters
    (e.g., C. There are two notes about KRB5_KTNAME in
    mod_spnego/readme.txt.

    Frank
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. RE: kerberos authentication for apache on windows

    Julien ALLANOS said:

    > I am now facing to the following problem: browsers don't send NTLM

    tokens
    > anymore but SPNEGO tokens (I believe). I don't really know what I did to

    make
    > it work, but heh, it works. That's good.


    For both NTLM and SPNEGO tokens, IE should send:

    Authorization: Negotiate

    followed by a base64-encoded token. To determine the type of token,
    capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C
    4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with
    hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long
    (most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2,
    which identifies the SPNEGO GSSAPI mechanism.

    Frank
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. RE: kerberos authentication for apache on windows

    Selon Frank Balluffi :

    > Julien ALLANOS said:
    >
    >> I am now facing to the following problem: browsers don't send NTLM

    > tokens
    >> anymore but SPNEGO tokens (I believe). I don't really know what I did to

    > make
    >> it work, but heh, it works. That's good.

    >
    > For both NTLM and SPNEGO tokens, IE should send:
    >
    > Authorization: Negotiate
    >
    > followed by a base64-encoded token. To determine the type of token,
    > capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C
    > 4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with
    > hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long
    > (most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2,
    > which identifies the SPNEGO GSSAPI mechanism.
    >
    > Frank
    >


    I've sniffed on port 88 but I didn't see any packet. Probably because browser,
    KDC and web server are on the same machine? (I have only 1 machine on
    my domain
    atm).

    However, I can see the Authorization header (Negotiate + Base64 stuff) in the
    second GET request to the web server. The token begins with: 60 82 04 c7 06 06
    2b 06 01 05 05 02, which seems to be a SPNEGO token.

    Is the service name encoded somewhere in this token? If I look at it as plain
    text, I can see:

    ‚”0‚ ¡ADCASSARD.JAS.AQL.FR¢'0%
    ¡0HTTPadcassard.jas.aql.fr£‚F0‚B ¡

    so I believe the requested principal is
    HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR, which doesn't match what is
    inside the keytab
    (HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR). Then I
    created a new keytab with the new service name, but it didn't change
    anything, I
    still got the no match error.
    --
    Julien ALLANOS

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. RE: kerberos authentication for apache on windows

    Julien ALLANOS said:

    > I've sniffed on port 88 but I didn't see any packet. Probably because

    browser,
    > KDC and web server are on the same machine? (I have only 1 machine on
    > my domain
    > atm).


    Yes, you will need to run a KDC on a separate machine to sniff the traffic
    -- at least with Ethereal.

    > However, I can see the Authorization header (Negotiate + Base64 stuff)

    in the
    > second GET request to the web server. The token begins with: 60 82 04 c7

    06 06
    > 2b 06 01 05 05 02, which seems to be a SPNEGO token.
    >
    > Is the service name encoded somewhere in this token? If I look at it as

    plain
    > text, I can see:
    >
    > 0 ADCASSARD.JAS.AQL.FR'0%
    > 0HTTPadcassard.jas.aql.frF0B 
    >
    > so I believe the requested principal is
    > HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR, which doesn't match what

    is
    > inside the keytab
    > (HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR). Then I
    > created a new keytab with the new service name, but it didn't change
    > anything, I
    > still got the no match error.


    Yes, the browser is sending a SPNEGO token containing a ticket to
    HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR -- you can figure this out
    by looking at the ASN.1 in
    draft-ietf-krb-wg-kerberos-clarifications-07.txt. Everything looks fine
    except the Kerberos realm names do not match. You now need to figure out
    why the ticket contains the realm ADCASSARD.JAS.AQL.FR and the keytab
    contains the realm SRV1.ADCASSARD.JAS.AQL.FR.

    Frank

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. RE: kerberos authentication for apache on windows

    Quoting Frank Balluffi :

    > Julien ALLANOS said:
    >
    >> I've sniffed on port 88 but I didn't see any packet. Probably because

    > browser,
    >> KDC and web server are on the same machine? (I have only 1 machine on
    >> my domain
    >> atm).

    >
    > Yes, you will need to run a KDC on a separate machine to sniff the traffic
    > -- at least with Ethereal.
    >
    >> However, I can see the Authorization header (Negotiate + Base64 stuff)

    > in the
    >> second GET request to the web server. The token begins with: 60 82 04 c7

    > 06 06
    >> 2b 06 01 05 05 02, which seems to be a SPNEGO token.
    >>
    >> Is the service name encoded somewhere in this token? If I look at it as

    > plain
    >> text, I can see:
    >>
    >> ‚”0‚ ¡ADCASSARD.JAS..AQL.FR¢'0%
    >> ¡0HTTPadcassard.jas.aql.fr£‚F0‚B ¡
    >>
    >> so I believe the requested principal is
    >> HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR, which doesn't match what

    > is
    >> inside the keytab
    >> (HTTP/adcassard.jas.aql.fr@SRV1.ADCASSARD.JAS.AQL.FR). Then I
    >> created a new keytab with the new service name, but it didn't change
    >> anything, I
    >> still got the no match error.

    >
    > Yes, the browser is sending a SPNEGO token containing a ticket to
    > HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR -- you can figure this out
    > by looking at the ASN.1 in
    > draft-ietf-krb-wg-kerberos-clarifications-07.txt. Everything looks fine
    > except the Kerberos realm names do not match. You now need to figure out
    > why the ticket contains the realm ADCASSARD.JAS.AQL.FR and the keytab
    > contains the realm SRV1.ADCASSARD.JAS.AQL.FR.
    >
    > Frank
    >


    As I said, I've created a new keytab with the
    HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR service name (using ktpass).
    klist now shows the correct principal:

    > klist -k c:\WINDOWS\krb5kt

    Keytab name: FILE:c:\WINDOWS\krb5kt
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    4 HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR

    I've restarted Apache, restarted Firefox on the client session and
    requested the
    URL again. I got the same error: no principal match.
    --
    Julien ALLANOS

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. RE: kerberos authentication for apache on windows

    jas@aql.fr wrote on 06/06/2005 10:21:12 AM:

    > As I said, I've created a new keytab with the
    > HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR service name (using

    ktpass).
    > klist now shows the correct principal:
    >
    > > klist -k c:\WINDOWS\krb5kt

    > Keytab name: FILE:c:\WINDOWS\krb5kt
    > KVNO Principal
    > ----
    >

    --------------------------------------------------------------------------
    > 4 HTTP/adcassard.jas.aql.fr@ADCASSARD.JAS.AQL.FR
    >
    > I've restarted Apache, restarted Firefox on the client session and
    > requested the
    > URL again. I got the same error: no principal match.


    I am not sure why it is failing. For the sake of thoroughness, you might
    want to check what encryption types are being used. To check the keytab
    pass -e to klist:

    klist -e -k c:\WINDOWS\krb5kt

    to check the token, requires decoding. If you send me the token (out of
    band), I will check it. Because I have seen problems with key version
    numbers (kvno) and Windows Server 2003, you might want to also try
    deleting and recreating the service account and recreate the keytab. You
    should then see kvno equal to 1.

    Frank
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: kerberos authentication for apache on windows

    Julien ALLANOS wrote:
    > mod_auth_kerb isn't very portable to WIN32, that's why I'm using mod_spnego
    > (that already has VC++ project files).


    current CVS version contains better support for WIN32, however without
    any MSVC project files.

+ Reply to Thread