Problem to have mod_auth_kerb to work - Kerberos

This is a discussion on Problem to have mod_auth_kerb to work - Kerberos ; Hi, I have a linux (Fedore core 4) web server running Apache (2.0) with mod_auth_kerb and Tomcat. I want to implement a SSO for my web application. I have setup my system according to some documentation I found on the ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: Problem to have mod_auth_kerb to work

  1. Problem to have mod_auth_kerb to work

    Hi,

    I have a linux (Fedore core 4) web server running Apache (2.0) with
    mod_auth_kerb and Tomcat.
    I want to implement a SSO for my web application.

    I have setup my system according to some documentation I found on the
    web:
    http://www.grolmsnet.de/kerbtut/

    So I have my account created on the KDC for the HTTP service. I have
    check the ticket with kvno and it seems fine.

    My problem: IE (And Firecfox, but if could at least get IE to work that
    would be a start) keeps poping the logon window. After sniffing the
    packets, I can see that the mode Basic authentication was sent back to
    the web browser. So I changed my settings so that Basic is not sent
    back. I was expecting Negoatiate then to be sent, but this is not the
    case.

    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbAuthRealms MY.REALM.COM
    Krb5Keytab /etc/krb5.keytab
    KrbDelegateBasic off
    KrbMethodK5Passwd off
    KrbMethodNegotiate on
    require valid-user

    I then hacked mod_auth_kerb code to send Negotiate, but despite this I
    keep having a window popping up.
    What am I doing wrong?
    Any help would be greatly appreciated.

    Thanks
    Yannick


  2. Re: Problem to have mod_auth_kerb to work

    Smellyfrog wrote:
    >
    > I have a linux (Fedore core 4) web server running Apache (2.0) with
    > mod_auth_kerb and Tomcat.
    > I want to implement a SSO for my web application.


    Does mod_auth_kerb really do GSSAPI ?

    I thought it was just an implementation of HTTP basic auth, with Kerberos
    instead of the AuthUserFile.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  3. Re: Problem to have mod_auth_kerb to work

    mod_auth_kerb can do either GSSAPI and/or Kerberos through Basic (you should
    protect it with SSL)

    Markus

    "Victor Sudakov" wrote in message
    news:dq65h6$fbd$1@relay.tomsk.ru...
    > Smellyfrog wrote:
    >>
    >> I have a linux (Fedore core 4) web server running Apache (2.0) with
    >> mod_auth_kerb and Tomcat.
    >> I want to implement a SSO for my web application.

    >
    > Does mod_auth_kerb really do GSSAPI ?
    >
    > I thought it was just an implementation of HTTP basic auth, with Kerberos
    > instead of the AuthUserFile.
    >
    > --
    > Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    > 2:5005/49@fidonet http://vas.tomsk.ru/




  4. Re: Problem to have mod_auth_kerb to work

    Smellyfrog wrote:
    > My problem: IE (And Firecfox, but if could at least get IE to work that
    > would be a start) keeps poping the logon window.


    For IE, you need the server in the LocalIntranet zone. If it is
    displayed as "Internet", double-click that icon, and add the server
    explicitly.

    This is likely not the problem, though.

    > What am I doing wrong?


    Hard to tell. My guess is that the host name doesn't match the
    service principal in your keytab, because of reverse-lookup
    problems.

    To analyse this, set LogLevel to debug, and then read the error
    log for pertinent messages.

    If you find an answer, please do post it.

    Regards,
    Martin

  5. Re: Problem to have mod_auth_kerb to work

    On Thursday 12 January 2006 17:06, Smellyfrog wrote:

    > My problem: IE (And Firecfox, but if could at least get IE to work that
    > would be a start) keeps poping the logon window.


    Please

    1. send the relevant part from Apache errorlog
    2. Do a HEAD request to the location and send the HTTP-Headers
    3. ensure you done all debugging described in Section "10. Debugging"


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Problem to have mod_auth_kerb to work

    Markus Moeller wrote:
    >>>
    >>> I have a linux (Fedore core 4) web server running Apache (2.0) with
    >>> mod_auth_kerb and Tomcat.
    >>> I want to implement a SSO for my web application.

    >>
    >> Does mod_auth_kerb really do GSSAPI ?
    >>
    >> I thought it was just an implementation of HTTP basic auth, with Kerberos
    >> instead of the AuthUserFile.


    > mod_auth_kerb can do either GSSAPI and/or Kerberos through Basic (you should
    > protect it with SSL)


    I have read http://modauthkerb.sourceforge.net/configure.html and it
    is not clear to me: how do you turn off Basic and leave only GSSAPI on?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  7. Re: Problem to have mod_auth_kerb to work

    Hi Achim,

    Following are the headers of the request and reply to and from the
    webserver.

    Request from IE to the webserver:

    GET /iViewXT/login.do HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Accept-Language: en-ie
    Host: gtci2736vm
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Connection: Keep-Alive

    Reply:

    HTTP/1.0 401 Authorization Required
    Date: Fri, 13 Jan 2006 09:50:14 GMT
    Server: Apache/2.0.53-dev (Unix)
    WWW-Authenticate: Negotiate
    WWW-Authenticate: Basic realm="Kerberos Login"
    Content-Length: 599
    Connection: close
    Content-Type: text/html; charset=iso-8859-1



    401 Authorization Required

    Authorization Required


    This server could not verify that you
    are authorized to access the document
    requested. Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn't understand how to supply
    the credentials required.


    Additionally, a 403 Forbidden
    error was encountered while trying to use an ErrorDocument to handle
    the request.




    Apache/2.0.53-dev (Unix) Server at gtci2736vm Port
    443



    I hadn't seen that Kerberos Events were not trapped, so I'm going to
    check that out. It seems that IE is actually not requesting the HTTP
    ticket from the KDC. So hopefully the event viewer will show why.

    Thanks for your previous quick response.
    I'll keep this thread updated with my progress.
    Yannick


  8. Re: Problem to have mod_auth_kerb to work

    Hi all,

    Another mistake of mine was that I had set the log level to debug in
    apache but not for the virtual host. So now that this is done, this is
    the kind of debug statement I get from apache:

    [Fri Jan 13 10:40:45 2006] [info] Initial (No.1) HTTPS request received
    for child 2 (server GTCI2736VM.bgt.banta.com:443)
    [Fri Jan 13 10:40:45 2006] [debug] src/mod_auth_kerb.c(1333): [client
    172.24.25.100] kerb_authenticate_user entered with user (NULL) and
    auth_type Kerberos
    [Fri Jan 13 10:40:45 2006] [debug] src/mod_auth_kerb.c(1023): [client
    172.24.25.100] Acquiring creds for HTTP/gtci2736vm@BGT.BANTA.COM
    [Fri Jan 13 10:40:45 2006] [debug] src/mod_auth_kerb.c(1152): [client
    172.24.25.100] Verifying client data using KRB5 GSS-API
    [Fri Jan 13 10:40:45 2006] [debug] src/mod_auth_kerb.c(1168): [client
    172.24.25.100] Verification returned code 589824
    [Fri Jan 13 10:40:45 2006] [debug] src/mod_auth_kerb.c(1194): [client
    172.24.25.100] Warning: received token seems to be NTLM, which isn't
    supported by the Kerberos module. Check your IE configuration.
    [Fri Jan 13 10:40:45 2006] [error] [client 172.24.25.100]
    gss_accept_sec_context() failed: A token was invalid (Token header is
    malformed or corrupt)
    [Fri Jan 13 10:40:45 2006] [error] [client 172.24.25.100] (2)No such
    file or directory: cannot access type map file:
    HTTP_UNAUTHORIZED.html.var

    My Webserver is gtci2736vm (Fedora on a VMware environement) IP
    172.24.25.130
    My client is an XP pro (Host to VMware workstation) with IP
    172.24.25.100
    My KDC is also our AD and is Windows 2003 box.

    So, as you can it seem that we are receiving an NTLM token. My IE
    config seems OK. I followed the guidelines to add my web server in the
    trusted intranet settings, and since I have XP pro, the tick box Enable
    Integrated Windows Authentication was already ticked. But you know
    what, I unticked it restarted IE and Ticked it again and restarted just
    in case. At this stage I'm considering exorcism or Voodoo ceremony.

    So WTF is going wrong? Please make the suffering end. ;o)
    Yannick


  9. Re: Problem to have mod_auth_kerb to work

    OK, it's getting sad. I'm replying to my own posts. ;o) What was wrong
    was the way the Keytab had been generated. I asked our admin to
    regenerate it but this time following exactly Achim's way. So now I
    have a ticket for the HTTP service being generated in my XP Client.

    In apache though I have the following:
    [Fri Jan 13 12:57:16 2006] [info] Initial (No.1) HTTPS request received
    for child 0 (server GTCI2736VM.bgt.banta.com:443)
    [Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1326): [client
    172.24.25.100] kerb_authenticate_user entered with user (NULL) and
    auth_type Kerberos
    [Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1023): [client
    172.24.25.100] Acquiring creds for HTTP/gtci2736vm@BGT.BANTA.COM
    [Fri Jan 13 12:57:16 2006] [error] [client 172.24.25.100]
    gss_acquire_cred() failed: Miscellaneous failure (Permission denied)

    SO any idea on why I have a failure with permission denied is more than
    welcome.

    Thanks
    Yannick


  10. Re: Problem to have mod_auth_kerb to work

    Check the keytab permissions. If apache runs as webuser and the default
    keytab has only root read permission you will see this error.

    Markus

    "Smellyfrog" wrote in message
    news:1137158596.328672.19980@g49g2000cwa.googlegro ups.com...
    > OK, it's getting sad. I'm replying to my own posts. ;o) What was wrong
    > was the way the Keytab had been generated. I asked our admin to
    > regenerate it but this time following exactly Achim's way. So now I
    > have a ticket for the HTTP service being generated in my XP Client.
    >
    > In apache though I have the following:
    > [Fri Jan 13 12:57:16 2006] [info] Initial (No.1) HTTPS request received
    > for child 0 (server GTCI2736VM.bgt.banta.com:443)
    > [Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1326): [client
    > 172.24.25.100] kerb_authenticate_user entered with user (NULL) and
    > auth_type Kerberos
    > [Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1023): [client
    > 172.24.25.100] Acquiring creds for HTTP/gtci2736vm@BGT.BANTA.COM
    > [Fri Jan 13 12:57:16 2006] [error] [client 172.24.25.100]
    > gss_acquire_cred() failed: Miscellaneous failure (Permission denied)
    >
    > SO any idea on why I have a failure with permission denied is more than
    > welcome.
    >
    > Thanks
    > Yannick
    >




  11. Re: Problem to have mod_auth_kerb to work

    Smellyfrog writes:

    > [Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1023): [client
    > 172.24.25.100] Acquiring creds for HTTP/gtci2736vm@BGT.BANTA.COM


    This looks wrong. Normally the instance of the HTTP/* principal must be a
    fully-qualified hostname.

    --
    Russ Allbery (rra@stanford.edu)

  12. Re: Problem to have mod_auth_kerb to work

    Victor Sudakov wrote:
    > I have read http://modauthkerb.sourceforge.net/configure.html and it
    > is not clear to me: how do you turn off Basic and leave only GSSAPI on?


    What's unclear about

    KrbMethodK5Passwd on | off (set to on by default)

    To enable or disable the use of password based authentication for
    Kerberos v5.

    ???

    Regards,
    Martin

  13. Re: Problem to have mod_auth_kerb to work

    Smellyfrog wrote:
    > SO any idea on why I have a failure with permission denied is more than
    > welcome.


    There is no point in guessing. Analyse the IP communication of the
    client machine using ethereal; pay particular attention to Kerberos
    communication. Try to find out what tickets the client attempts to
    obtain, and what the KDC's response is.

    Regards,
    Martin

  14. Re: Problem to have mod_auth_kerb to work

    "Martin v. L?wis" wrote:
    >> I have read http://modauthkerb.sourceforge.net/configure.html and it
    >> is not clear to me: how do you turn off Basic and leave only GSSAPI on?

    >
    > What's unclear about
    >
    > KrbMethodK5Passwd on | off (set to on by default)


    The term "KrbMethodK5Passwd" was unclear.
    So the "password based authentication for Kerberos v5" means Basic
    with Kerberos password backend, doesn't it.

    >
    > To enable or disable the use of password based authentication for
    > Kerberos v5.


    Thanks for clarification.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  15. Re: Problem to have mod_auth_kerb to work

    Victor Sudakov writes:
    > "Martin v. L?wis" wrote:
    >>> I have read http://modauthkerb.sourceforge.net/configure.html and it
    >>> is not clear to me: how do you turn off Basic and leave only GSSAPI on?

    >>
    >> What's unclear about
    >>
    >> KrbMethodK5Passwd on | off (set to on by default)


    > The term "KrbMethodK5Passwd" was unclear.
    > So the "password based authentication for Kerberos v5" means Basic
    > with Kerberos password backend, doesn't it.


    Correct.

    --
    Russ Allbery (rra@stanford.edu)

  16. Re: Problem to have mod_auth_kerb to work

    I made some progress, but not much.
    I followed Markus advice and changed the permissions for the Keytab
    file. That brought me to the next step:
    I have still a not fully qualified name for my service:
    [Mon Jan 16 16:23:12 2006] [debug] src/mod_auth_kerb.c(1039): [client
    172.24.25.100] Acquiring creds for HTTP/gtci2736vm@BGT.BANTA.COM
    I would be expecting HTTP/gtci2736vm.bgt.banta.com@BGT.BANTA.COM
    instead. I actually don't understand why the fully qualified name is
    not showing.
    Does anyone know how is gss checking for the service name?

    When I check with Ethereal I have an HTTP get request with some SPNEGO
    data: When I go down to the Kerberos part, I find the following error:
    BER: Error length:1457 longer than tvb_reported_length_remaining:831.
    Is that an ethereal problem or a Kerberos issue?

    This said, when I look at the raw packet, it looks like I have
    HTTP/gtci2736vm.bgt.banta.com as part of the kerberos packet.
    In windows (using kerbtray), the service name is correct (ie: the full
    string not just the machine part).

    So any idea on how to resolve what seems like the last step before
    success (Or so I hope anyway).

    Thanks a mil'
    Yannick


  17. Re: Problem to have mod_auth_kerb to work

    Change the entrys in your hosts file. You probably have:

    IP shorthostname fqdn

    change it to:

    IP fqdn shorthostname

    Markus


    "Smellyfrog" wrote in message
    news:1137429509.415454.220550@g14g2000cwa.googlegr oups.com...
    >I made some progress, but not much.
    > I followed Markus advice and changed the permissions for the Keytab
    > file. That brought me to the next step:
    > I have still a not fully qualified name for my service:
    > [Mon Jan 16 16:23:12 2006] [debug] src/mod_auth_kerb.c(1039): [client
    > 172.24.25.100] Acquiring creds for HTTP/gtci2736vm@BGT.BANTA.COM
    > I would be expecting HTTP/gtci2736vm.bgt.banta.com@BGT.BANTA.COM
    > instead. I actually don't understand why the fully qualified name is
    > not showing.
    > Does anyone know how is gss checking for the service name?
    >
    > When I check with Ethereal I have an HTTP get request with some SPNEGO
    > data: When I go down to the Kerberos part, I find the following error:
    > BER: Error length:1457 longer than tvb_reported_length_remaining:831.
    > Is that an ethereal problem or a Kerberos issue?
    >
    > This said, when I look at the raw packet, it looks like I have
    > HTTP/gtci2736vm.bgt.banta.com as part of the kerberos packet.
    > In windows (using kerbtray), the service name is correct (ie: the full
    > string not just the machine part).
    >
    > So any idea on how to resolve what seems like the last step before
    > success (Or so I hope anyway).
    >
    > Thanks a mil'
    > Yannick
    >




  18. Re: Problem to have mod_auth_kerb to work

    On Thursday 12 January 2006 19:01, Victor Sudakov wrote:

    > Does mod_auth_kerb really do GSSAPI ?


    Yes. Please have a look at


    > I thought it was just an implementation of HTTP basic auth, with Kerberos
    > instead of the AuthUserFile.


    mod_auth_kerb can be run in two modes:

    1. Basic Auth with KDC as userdatebase (KrbMethodK5Passwd on)
    2. GSSAPI (over HTTP). (KrbMethodNegotiate on)

    Achim

    --
    using mod_auth_kerb and Windows 2000/2003 as KDC:

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  19. Re: Problem to have mod_auth_kerb to work

    Thanks you all for your help, I eventually managed to make it work.

    What was wrong in my config:
    - The keytab had not been generated exactly like it was describe in
    Achim's guide (http://www.grolmsnet.de/kerbtut/ ).
    Solution: regenerate the keytab using EXACTLY the settings described by
    Achim in the section 6 of his guide.

    - After installing the keytab on my web server using ktutil, the
    generated keytab file was not accessible to the user owning the apache
    process. I had the following error: gss_acquire_cred() failed:
    Miscellaneous failure (Permission denied)
    Solution: chmod the kerberos keytab file and grant RW access to the
    apache user.

    - After these changes, I still didn't have a successful authentication.
    The ticket was being acquired for HTTP/gtci2736vm@BGT.BANTA.COM instead
    of HTTP/gtci2736vm.bgt.banta.com@BGT.BANTA.COM.
    Solution: Change the /etc/hosts file so that the entry in that file
    that read:
    172.24.25.130 gtci2736vm gtci2736vm.bgt.banta.com
    becomes:
    172.24.25.130 gtci2736vm.bgt.banta.com gtci2736vm

    At this stage, the authentication works using a non secure connection.
    I'm going to try with the secure one.

    Thanks again all for your help (Achim and Markus in particular).
    Yannick


+ Reply to Thread