Re: Seamless/transparent SSO with Apache, Win2003, IE - Kerberos

This is a discussion on Re: Seamless/transparent SSO with Apache, Win2003, IE - Kerberos ; Did you have the 'Use DES encryption types for this account' option ticked for the HTTP service account when generating its keytab file? Regards, Sung-ho Jee Fred Dennis Sent by: kerberos-bounces@mit.edu 11/11/2005 12:41 AM To: kerberos@mit.edu cc: Subject: Seamless/transparent SSO ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Seamless/transparent SSO with Apache, Win2003, IE

  1. Re: Seamless/transparent SSO with Apache, Win2003, IE

    Did you have the 'Use DES encryption types for this account' option ticked
    for the HTTP service account when generating its keytab file?

    Regards,

    Sung-ho Jee





    Fred Dennis
    Sent by: kerberos-bounces@mit.edu
    11/11/2005 12:41 AM


    To: kerberos@mit.edu
    cc:
    Subject: Seamless/transparent SSO with Apache, Win2003, IE


    I'm trying to create a seamless sign on to a web site
    using Solaris (Kerberos installed), Apache
    (mod_auth_kerb installed), MS Active directory, and IE
    client.

    I can authenticate using and AD user/pass to a website
    if the IE option "Enable Integrated Authentication" is
    *UN*checked. When going to the url I get a login
    prompt and enter the account information, then am
    allowed access to the web site.

    However, when the option is CHECKED, I am passed
    directly to the web site (which is what I want), BUT
    get the apache log errors below and a "Page cannot be
    displayed" error.

    Looking at the packets going to/from web server I can
    see some sort of negotiation going on, but also see a
    "checksum incorrect" message. The ethereal output is
    below.

    I would greatly appreciate assistance with this. I've
    been trying to find a solution for the past week to no
    avail.

    Thanks!

    ============ APACHE ERROR LOG ===============
    [Thu Nov 10 08:34:37 2005] [debug]
    src/mod_auth_kerb.c(1322): [client 10.76.105.97]
    kerb_authenticate_user entered with user (NULL) and
    auth_type Kerberos
    [Thu Nov 10 08:34:37 2005] [debug]
    src/mod_auth_kerb.c(1023): [client 10.76.105.97]
    Acquiring creds for
    HTTP/curly.corp.inthosts.net@MAX.INTHOSTS.NET

    ================ PACKET CAPTURE ===============
    Frame 7 (2051 bytes on wire, 2051 bytes captured)
    Ethernet II, Src: Intel_40:15:ec (00:d0:b7:40:15:ec),
    Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
    Internet Protocol, Src: 10.76.105.97 (10.76.105.97),
    Dst: 10.76.65.113 (10.76.65.113)
    Transmission Control Protocol, Src Port: 3188 (3188),
    Dst Port: http (80), Seq: 315, Ack: 853, Len: 1997
    Source port: 3188 (3188)
    Destination port: http (80)
    Sequence number: 315 (relative sequence number)
    Next sequence number: 2312 (relative sequence
    number)
    Acknowledgement number: 853 (relative ack
    number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 64683

    ************************************************** ***
    ************************************************** ***
    * CHECKSUM ERROR -- comments added by me
    ************************************************** ***
    ************************************************** ***

    Checksum: 0xbf70 [incorrect, should be 0x2f4c]
    SEQ/ACK analysis
    Hypertext Transfer Protocol
    GET /cgi-bin/1/printenv HTTP/1.1\r\n
    Request Method: GET
    Request URI: /cgi-bin/1/printenv
    Request Version: HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg,
    image/pjpeg, */*\r\n
    Accept-Language: en-us\r\n
    UA-CPU: x86\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
    Windows NT 5.2; SV1; .NET CLR 1.1.4322)\r\n
    Host: curly.corp.inthosts.net\r\n
    Connection: Keep-Alive\r\n
    Authorization: Negotiate
    YIIE1QYGKwYBBQUCoIIEyTCCBMWgJDAiBgkqhkiC9xIBAgIGCS qGSIb3EgECAgYKKwYBBAGCNwICCqKCBJsEggSXYIIEkwYJKoZI hvcSAQICAQBuggSCMIIEfqADAgEFoQMCAQ6iBwMFACAAAACjgg OmYYIDojCCA56gAwIBBaESGxBNQVguSU5USE9TVFMuTkVUoiow KKADAgECoSEwHx
    GSS-API Generic Security Service Application
    Program Interface
    OID: 1.3.6.1.5.5.2 (SPNEGO - Simple
    Protected Negotiation)
    SPNEGO
    negTokenInit
    mechTypes: 3 items
    Item: 1.2.840.48018.1.2.2 (MS
    KRB5 - Microsoft Kerberos 5)
    Item: 1.2.840.113554.1.2.2
    (KRB5 - Kerberos 5)
    Item: 1.3.6.1.4.1.311.2.2.10
    (NTLMSSP - Microsoft NTLM Security Support Provider)
    mechToken:
    6082049306092A864886F71201020201006E820482308204.. .
    krb5_blob:
    6082049306092A864886F71201020201006E820482308204.. .
    KRB5 OID: 1.2.840.113554.1.2.2
    (KRB5 - Kerberos 5)
    krb5_tok_id: KRB5_AP_REQ
    (0x0001)
    Kerberos AP-REQ
    Pvno: 5
    MSG Type: AP-REQ (14)
    Padding: 0
    APOptions: 20000000
    (Mutual required)
    .0.. .... .... ....
    ..... .... .... .... = Use Session Key: Do NOT use the
    session key to encrypt the ticket
    ..1. .... .... ....
    ..... .... .... .... = Mutual required: MUTUAL
    authentication is REQUIRED
    Ticket
    Tkt-vno: 5
    Realm:
    MAX.INTHOSTS.NET
    Server Name (Service
    and Instance): HTTP/curly.corp.inthosts.net
    Name-type: Service
    and Instance (2)
    Name: HTTP
    Name:
    curly.corp.inthosts.net
    enc-part rc4-hmac
    Encryption type:
    rc4-hmac (23)
    Kvno: 2
    enc-part:
    B03EAB462F73653D61D98C3CA97705CFFD50D177D14021EA.. .
    Authenticator rc4-hmac
    Encryption type:
    rc4-hmac (23)
    Authenticator data:
    E3A02A891F9A43AD16797C0D26D395BA356381948B70C925.. .
    \r\n




    __________________________________
    Start your day with Yahoo! - Make it your home page!
    http://www.yahoo.com/r/hs
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Seamless/transparent SSO with Apache, Win2003, IE

    yes,checksum problem, I do think there is a compatiblity problem in IE6.
    hope this link would help:
    http://www.microsoft.com/technet/pro.../tkerberr.mspx

    ----- Original Message -----
    From: "Sung Ho Jee"
    To: "Fred Dennis"
    Cc:
    Sent: Friday, November 11, 2005 10:08 AM
    Subject: Re: Seamless/transparent SSO with Apache, Win2003, IE


    > Did you have the 'Use DES encryption types for this account' option ticked
    > for the HTTP service account when generating its keytab file?
    >
    > Regards,
    >
    > Sung-ho Jee
    >
    >
    >
    >
    >
    > Fred Dennis
    > Sent by: kerberos-bounces@mit.edu
    > 11/11/2005 12:41 AM
    >
    >
    > To: kerberos@mit.edu
    > cc:
    > Subject: Seamless/transparent SSO with Apache, Win2003, IE
    >
    >
    > I'm trying to create a seamless sign on to a web site
    > using Solaris (Kerberos installed), Apache
    > (mod_auth_kerb installed), MS Active directory, and IE
    > client.
    >
    > I can authenticate using and AD user/pass to a website
    > if the IE option "Enable Integrated Authentication" is
    > *UN*checked. When going to the url I get a login
    > prompt and enter the account information, then am
    > allowed access to the web site.
    >
    > However, when the option is CHECKED, I am passed
    > directly to the web site (which is what I want), BUT
    > get the apache log errors below and a "Page cannot be
    > displayed" error.
    >
    > Looking at the packets going to/from web server I can
    > see some sort of negotiation going on, but also see a
    > "checksum incorrect" message. The ethereal output is
    > below.
    >
    > I would greatly appreciate assistance with this. I've
    > been trying to find a solution for the past week to no
    > avail.
    >
    > Thanks!
    >
    > ============ APACHE ERROR LOG ===============
    > [Thu Nov 10 08:34:37 2005] [debug]
    > src/mod_auth_kerb.c(1322): [client 10.76.105.97]
    > kerb_authenticate_user entered with user (NULL) and
    > auth_type Kerberos
    > [Thu Nov 10 08:34:37 2005] [debug]
    > src/mod_auth_kerb.c(1023): [client 10.76.105.97]
    > Acquiring creds for
    > HTTP/curly.corp.inthosts.net@MAX.INTHOSTS.NET
    >
    > ================ PACKET CAPTURE ===============
    > Frame 7 (2051 bytes on wire, 2051 bytes captured)
    > Ethernet II, Src: Intel_40:15:ec (00:d0:b7:40:15:ec),
    > Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01)
    > Internet Protocol, Src: 10.76.105.97 (10.76.105.97),
    > Dst: 10.76.65.113 (10.76.65.113)
    > Transmission Control Protocol, Src Port: 3188 (3188),
    > Dst Port: http (80), Seq: 315, Ack: 853, Len: 1997
    > Source port: 3188 (3188)
    > Destination port: http (80)
    > Sequence number: 315 (relative sequence number)
    > Next sequence number: 2312 (relative sequence
    > number)
    > Acknowledgement number: 853 (relative ack
    > number)
    > Header length: 20 bytes
    > Flags: 0x0018 (PSH, ACK)
    > Window size: 64683
    >
    > ************************************************** ***
    > ************************************************** ***
    > * CHECKSUM ERROR -- comments added by me
    > ************************************************** ***
    > ************************************************** ***
    >
    > Checksum: 0xbf70 [incorrect, should be 0x2f4c]
    > SEQ/ACK analysis
    > Hypertext Transfer Protocol
    > GET /cgi-bin/1/printenv HTTP/1.1\r\n
    > Request Method: GET
    > Request URI: /cgi-bin/1/printenv
    > Request Version: HTTP/1.1
    > Accept: image/gif, image/x-xbitmap, image/jpeg,
    > image/pjpeg, */*\r\n
    > Accept-Language: en-us\r\n
    > UA-CPU: x86\r\n
    > Accept-Encoding: gzip, deflate\r\n
    > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
    > Windows NT 5.2; SV1; .NET CLR 1.1.4322)\r\n
    > Host: curly.corp.inthosts.net\r\n
    > Connection: Keep-Alive\r\n
    > Authorization: Negotiate
    > YIIE1QYGKwYBBQUCoIIEyTCCBMWgJDAiBgkqhkiC9xIBAgIGCS qGSIb3EgECAgYKKwYBBAGCNwICCqKCBJsEggSXYIIEkwYJKoZI hvcSAQICAQBuggSCMIIEfqADAgEFoQMCAQ6iBwMFACAAAACjgg OmYYIDojCCA56gAwIBBaESGxBNQVguSU5USE9TVFMuTkVUoiow KKADAgECoSEwHx
    > GSS-API Generic Security Service Application
    > Program Interface
    > OID: 1.3.6.1.5.5.2 (SPNEGO - Simple
    > Protected Negotiation)
    > SPNEGO
    > negTokenInit
    > mechTypes: 3 items
    > Item: 1.2.840.48018.1.2.2 (MS
    > KRB5 - Microsoft Kerberos 5)
    > Item: 1.2.840.113554.1.2.2
    > (KRB5 - Kerberos 5)
    > Item: 1.3.6.1.4.1.311.2.2.10
    > (NTLMSSP - Microsoft NTLM Security Support Provider)
    > mechToken:
    > 6082049306092A864886F71201020201006E820482308204.. .
    > krb5_blob:
    > 6082049306092A864886F71201020201006E820482308204.. .
    > KRB5 OID: 1.2.840.113554.1.2.2
    > (KRB5 - Kerberos 5)
    > krb5_tok_id: KRB5_AP_REQ
    > (0x0001)
    > Kerberos AP-REQ
    > Pvno: 5
    > MSG Type: AP-REQ (14)
    > Padding: 0
    > APOptions: 20000000
    > (Mutual required)
    > .0.. .... .... ....
    > .... .... .... .... = Use Session Key: Do NOT use the
    > session key to encrypt the ticket
    > ..1. .... .... ....
    > .... .... .... .... = Mutual required: MUTUAL
    > authentication is REQUIRED
    > Ticket
    > Tkt-vno: 5
    > Realm:
    > MAX.INTHOSTS.NET
    > Server Name (Service
    > and Instance): HTTP/curly.corp.inthosts.net
    > Name-type: Service
    > and Instance (2)
    > Name: HTTP
    > Name:
    > curly.corp.inthosts.net
    > enc-part rc4-hmac
    > Encryption type:
    > rc4-hmac (23)
    > Kvno: 2
    > enc-part:
    > B03EAB462F73653D61D98C3CA97705CFFD50D177D14021EA.. .
    > Authenticator rc4-hmac
    > Encryption type:
    > rc4-hmac (23)
    > Authenticator data:
    > E3A02A891F9A43AD16797C0D26D395BA356381948B70C925.. .
    > \r\n
    >
    >
    >
    >
    > __________________________________
    > Start your day with Yahoo! - Make it your home page!
    > http://www.yahoo.com/r/hs
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread