failed to authenticate using mod_auth_kerb for Apache - Kerberos

This is a discussion on failed to authenticate using mod_auth_kerb for Apache - Kerberos ; Hello Everybody, I'm experiencing a problem that is getting very serious for me since I have not found any solution for a week. I have a SuSe 9.0 Enterprise Server installed with Apache 2.0.49. My goal is to set up ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: failed to authenticate using mod_auth_kerb for Apache

  1. failed to authenticate using mod_auth_kerb for Apache

    Hello Everybody,
    I'm experiencing a problem that is getting very serious for me since I have
    not found any solution for a week.
    I have a SuSe 9.0 Enterprise Server installed with Apache 2.0.49.
    My goal is to set up kerberos authentication.
    I have also installed and configured mod_auth_kerb module for Apache.
    Now I'm trying to access protected pages on my server via browser (I tried
    IE6, Mozilla 1.7.12 and FireFox 1.5b1)
    I'm constantly getting 401 Error - authentication failed!
    I haved debugged HTTP calls and have found that browser send NTLMSSP
    response instaed of Kerberos one.
    As a result Apache writes to errror log the following:
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.154 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.154 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1023): [client
    10.3.103.154 ] Acquiring creds for
    HTTP/gvepl100.internal.epo.org@INTERNAL.EPO.ORG
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1152): [client
    10.3.103.154 ] Verifying client data using KRB5 GSS-API
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1168): [client
    10.3.103.154 ] Verification returned code 589824
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1194): [client
    10.3.103.154 ] Warning: received token seems to be
    NTLM, which isn't supported by the Kerberos module. Check your IE
    configuration.
    [Mon Oct 03 11:04:04 2005] [error] [client 10.3.103.154]
    gss_accept_sec_context() failed: A token was invalid (Success)
    For already a week I can't find a workaround for the problem or to find at
    least the reason of such behaviour.
    And this thing does not depend on the browser - IE, Mozilla or Firefox - I'm
    getting the same on all of them.
    I would be very appreciated if somebody give me a hint what is happening,
    why and how to solve the problem.
    --
    Thanks a lot in advance,
    Siarhei Baidun
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: failed to authenticate using mod_auth_kerb for Apache

    Can you describe what you have done ? When you always get a NTLM token it
    normally means that there is no key for this service in your kdc. Check
    that you don't use CNAMEs. Use kerbtray on your Windows machine to see
    which tickets are available for IE.

    Regards
    Markus

    "Siarhei Baidun" wrote in message
    news:a665a890510030230t7f5f669cg2a80847aa77191e0@m ail.gmail.com...
    Hello Everybody,
    I'm experiencing a problem that is getting very serious for me since I have
    not found any solution for a week.
    I have a SuSe 9.0 Enterprise Server installed with Apache 2.0.49.
    My goal is to set up kerberos authentication.
    I have also installed and configured mod_auth_kerb module for Apache.
    Now I'm trying to access protected pages on my server via browser (I tried
    IE6, Mozilla 1.7.12 and FireFox 1.5b1)
    I'm constantly getting 401 Error - authentication failed!
    I haved debugged HTTP calls and have found that browser send NTLMSSP
    response instaed of Kerberos one.
    As a result Apache writes to errror log the following:
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.154 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.154 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1023): [client
    10.3.103.154 ] Acquiring creds for
    HTTP/gvepl100.internal.epo.org@INTERNAL.EPO.ORG
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1152): [client
    10.3.103.154 ] Verifying client data using KRB5 GSS-API
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1168): [client
    10.3.103.154 ] Verification returned code 589824
    [Mon Oct 03 11:04:04 2005] [debug] src/mod_auth_kerb.c(1194): [client
    10.3.103.154 ] Warning: received token seems to be
    NTLM, which isn't supported by the Kerberos module. Check your IE
    configuration.
    [Mon Oct 03 11:04:04 2005] [error] [client
    10.3.103.154]
    gss_accept_sec_context() failed: A token was invalid (Success)
    For already a week I can't find a workaround for the problem or to find at
    least the reason of such behaviour.
    And this thing does not depend on the browser - IE, Mozilla or Firefox - I'm
    getting the same on all of them.
    I would be very appreciated if somebody give me a hint what is happening,
    why and how to solve the problem.
    --
    Thanks a lot in advance,
    Siarhei Baidun
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: failed to authenticate using mod_auth_kerb for Apache

    Achim, thanks for your link.
    I have tried it several days ago but URL was unaccessible.
    I hope I have found the cause o fmy problem: I do not have an entry for my
    web server in the KDC (e.g. missing point 6 of your guide).
    Will now create it and see what results will be.
    Thanks,
    Siarhei Baidun

    On 10/3/05, Achim Grolms wrote:
    >
    > On Monday 03 October 2005 11:30, you wrote:
    >
    > > I would be very appreciated if somebody give me a hint what is

    > happening,
    > > why and how to solve the problem.

    >
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: failed to authenticate using mod_auth_kerb for Apache

    On 10/3/05, Markus Moeller wrote:

    > Can you describe what you have done ? When you always get a NTLM token it
    > normally means that there is no key for this service in your kdc. Check
    > that you don't use CNAMEs. Use kerbtray on your Windows machine to see
    > which tickets are available for IE.


    Hi Markus,
    You are right - I do not have the key for my web server in my KDC.
    I have read Achim's manual and have discovered that I missed that point -
    creation of service realm for my web server.
    In my case it is HTTP/gvepl100.internal.epo.org@INTERNAL.EPO.ORG
    With "klist.exe tickets" command I see the following tickets in cache on my
    workstation (Win2000):

    Server: krbtgt/INTERNAL.EPO.ORG@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 22:28:03
    Renew Time: 10/11/2005 9:28:03


    Server: krbtgt/INTERNAL.EPO.ORG@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 18:55:26
    Renew Time: 10/11/2005 5:55:26


    Server: ldap/GVW001.internal.epo.org/internal.epo.org@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 18:55:26
    Renew Time: 10/11/2005 5:55:26


    Server: LDAP/GVW001.internal.epo.org@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 18:55:26
    Renew Time: 10/11/2005 5:55:26


    Server: HOST/gvw001.internal.epo.org@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 18:55:26
    Renew Time: 10/11/2005 5:55:26


    Server: ldap/GVW002.internal.epo.org/internal.epo.org@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 18:55:26
    Renew Time: 10/11/2005 5:55:26


    Server: LDAP/GVW002.internal.epo.org@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/4/2005 18:55:26
    Renew Time: 10/11/2005 5:55:26


    Server: HOST/GVW010@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/3/2005 23:44:21
    Renew Time: 10/10/2005 10:44:21


    Server: HOST/GVW011@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/3/2005 23:44:21
    Renew Time: 10/10/2005 10:44:21


    Server: HOST/GVW001@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/3/2005 23:44:21
    Renew Time: 10/10/2005 10:44:21


    Server: HOST/GVW002@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/3/2005 23:44:21
    Renew Time: 10/10/2005 10:44:21


    Server: host/sb82058a.internal.epo.org@INTERNAL.EPO.ORG
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 10/3/2005 23:44:21
    Renew Time: 10/10/2005 10:44:21
    I guess I should have had a ticket for
    HTTP/gvepl100.internal.epo.org@INTERNAL.EPO.ORG as well
    --
    Thanks,
    Siarhei Baidun
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: failed to authenticate using mod_auth_kerb for Apache

    Hi again guys,
    It is mightmare ... I'm now experiencing another problem - with creating
    the principal for my web server and mapping it to the domain account.
    When I try to execute the following command:
    ktpass -princ HTTP/gvepl100.internal.epo.org@INTERNAL.EPO.ORG -mapuser
    PHXTEST -crypto DES-CBC-MD5 -pass blabla password -out
    c:\temp\gvepl100keytab
    I'm getting the following error:

    Failed to set property "servicePrincipalName" to
    "HTTP/gvepl100.internal.epo.org" on Dn "CN=PHXTEST - Phoenix Service
    Account,OU=G

    V Users,OU=GV,OU=EPO,DC=internal,DC=epo,DC=org": 0x32.

    WARNING: Unable to set SPN mapping data.

    If PHXTEST already has an SPN mapping installed for
    HTTP/gvepl100.internal.epo.org, this is no cause for concern.
    May be you guys have a clue what is it.
    I would be really appreciated for any help because I'm already exhausted
    with all this crap.
    --
    Many thanks,
    Siarhei Baidun
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: failed to authenticate using mod_auth_kerb for Apache

    On 10/4/05, Achim Grolms wrote:
    >
    > On Tuesday 04 October 2005 12:30, Siarhei Baidun wrote:
    > > Failed to set property "servicePrincipalName" to

    >
    > <
    > http://www.google.de/search?as_q=ktp...h=&safe=images
    > >

    >
    > Google puts out a lot of sources of possible Errors,
    > pleas check them.
    >
    > My first shot:
    > Is the test useraccount in AD used the first time?
    > Create a fresh useraccount for use with the principalmapping.


    Yep! It is a good idea!
    I tried to use already existing one.
    Thanks!!!
    --
    Siarhei Baidun
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: failed to authenticate using mod_auth_kerb for Apache

    Hi again Everybody,
    Second week I have been batling with the problem...
    A lot of problems a have already solved on the way thanks to your advises.
    Now I have done everything in compliance with the manual (
    http://www.grolmsnet.de/kerbtut/)
    I have created a fresh domain account in the test domain (because I cannot
    use production one) , have mapped principal to it, etc.
    And I'm getting now the error (in the Apache's error_log file) :
    --------------------- Apache's LOG
    in case
    KrbMethodK5Passwd on
    KrbMethodNegotiate off
    ------------------------

    [Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.154 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.154 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client
    10.3.103.154 ] kerb_authenticate_user_krb5pwd ret=0
    user=TEST@TEST.EPO authtype=Basic
    [Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154 ]
    configuration error: couldn't check access. No groups file?: /
    --------------------- Apache's LOG
    in case
    KrbMethodK5Passwd off
    KrbMethodNegotiate on
    ------------------------

    [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.194 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
    10.3.103.194 ] kerb_authenticate_user entered with user
    (NULL) and auth_type Kerberos
    [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client
    10.3.103.194 ] Acquiring creds for
    HTTP/gvepl100.test.epo@TEST.EPO
    [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client
    10.3.103.194 ] Verifying client data using SPNEGO
    GSS-API
    [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client
    10.3.103.194 ] Verification returned code 0
    [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client
    10.3.103.194 ] GSS-API token of length 0 bytes will be
    sent back
    [Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ]
    configuration error: couldn't check access. No groups file?: /

    What does it mean? Which groups file I do not have?
    I'm very, very appreciated for any help!
    Below are my httpd.conf and krb5.conf
    --
    Thank you very much in advance,
    Siarhei Baidun
    ------------------
    krb5.conf
    -----------------

    [libdefaults]
    default_realm = TEST.EPO

    [domain_realm]
    gvepl100.test.epo = TEST.EPO

    [realms]
    TEST.EPO = {
    admin_server = odessa.test.epo
    kdc = odessa.test.epo
    }

    ----------------------------Apache's
    httpd.conf----------------------------------

    AuthType Kerberos
    AuthName "Kerberos Login"
    Krb5KeyTab /etc/wolfi2.keytab

    KrbAuthRealms TEST.EPO

    KrbMethodK5Passwd on
    KrbMethodNegotiate off
    KrbServiceName HTTP
    require valid-user


    ------------------ result of "ktutil -k /etc/wolfi3.keytab list" command
    ------------------------------

    Vno Type Principal
    1 des-cbc-md5 HTTP/gvepl100.test.epo@TEST.EPO
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: failed to authenticate using mod_auth_kerb for Apache

    Hello Everybody,
    Just little question.
    Do I need to have the principal
    HOST/gvepl100.test.epo@TEST.EPO for my web server machine or it is enough
    to have only
    HTTP/gvepl100.test.epo@TEST.EPO one?
    Because this issue is not desribed in the manual (
    http://www.grolmsnet.de/kerbtut/).
    I`m constantly having the error : "configuration error: couldn't check
    access. No groups file?: /"
    And I just think that this error means that modauthkerb does not try to
    authorize a user with KDC as userdatabase on the web server (in my case it
    is gvepl100.test.epo). And it tries to find some file as userdatabase. And
    reason might be that I do not have principal
    HOST/gvepl100.test.epo@TEST.EPO for my web server, but only this one:
    HTTP/gvepl100.test.epo@TEST.EPO.
    Is it right suggestion?
    --
    Thanks,
    Siarhei Baidun


    On 10/5/05, Siarhei Baidun wrote:
    >
    > Hi again Everybody,
    > Second week I have been batling with the problem...
    > A lot of problems a have already solved on the way thanks to your advises.
    > Now I have done everything in compliance with the manual (
    > http://www.grolmsnet.de/kerbtut/)
    > I have created a fresh domain account in the test domain (because I
    > cannot use production one) , have mapped principal to it, etc.
    > And I'm getting now the error (in the Apache's error_log file) :
    > --------------------- Apache's LOG
    > in case
    > KrbMethodK5Passwd on
    > KrbMethodNegotiate off
    > ------------------------
    >
    > [Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client
    > 10.3.103.154 ] kerb_authenticate_user entered with
    > user (NULL) and auth_type Kerberos
    > [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
    > 10.3.103.154 ] kerb_authenticate_user entered with
    > user (NULL) and auth_type Kerberos
    > [Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client
    > 10.3.103.154 ] kerb_authenticate_user_krb5pwd ret=0
    > user=TEST@TEST.EPO authtype=Basic
    > [Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154]
    > configuration error: couldn't check access. No groups file?: /
    > --------------------- Apache's LOG
    > in case
    > KrbMethodK5Passwd off
    > KrbMethodNegotiate on
    > ------------------------
    >
    > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
    > 10.3.103.194 ] kerb_authenticate_user entered with
    > user (NULL) and auth_type Kerberos
    > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client
    > 10.3.103.194 ] kerb_authenticate_user entered with
    > user (NULL) and auth_type Kerberos
    > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client
    > 10.3.103.194 ] Acquiring creds for
    > HTTP/gvepl100.test.epo@TEST.EPO
    > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client
    > 10.3.103.194 ] Verifying client data using SPNEGO
    > GSS-API
    > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client
    > 10.3.103.194 ] Verification returned code 0
    > [Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client
    > 10.3.103.194 ] GSS-API token of length 0 bytes will
    > be sent back
    > [Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194]
    > configuration error: couldn't check access. No groups file?: /
    >
    > What does it mean? Which groups file I do not have?
    > I'm very, very appreciated for any help!
    > Below are my httpd.conf and krb5.conf
    > --
    > Thank you very much in advance,
    > Siarhei Baidun
    > ------------------
    > krb5.conf
    > -----------------
    >
    > [libdefaults]
    > default_realm = TEST.EPO
    >
    > [domain_realm]
    > gvepl100.test.epo = TEST.EPO
    >
    > [realms]
    > TEST.EPO = {
    > admin_server = odessa.test.epo
    > kdc = odessa.test.epo
    > }
    >
    > ----------------------------Apache's httpd.conf----------------------------------
    >
    > AuthType Kerberos
    > AuthName "Kerberos Login"
    > Krb5KeyTab /etc/wolfi2.keytab
    >
    > KrbAuthRealms TEST.EPO
    >
    > KrbMethodK5Passwd on
    > KrbMethodNegotiate off
    > KrbServiceName HTTP
    > require valid-user
    >
    >
    > ------------------ result of "ktutil -k /etc/wolfi3.keytab list" command
    > ------------------------------
    >
    > Vno Type Principal
    > 1 des-cbc-md5 HTTP/gvepl100.test.epo@TEST.EPO
    >
    >
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread