This is a discussion on strange behavior with modauthkerb, Active Directory, and IE7 - Kerberos ; Hi guys I configured modauthkerb according to the (very good) tutorial http://www.grolmsnet.de/kerbtut Basic authentication was working from firefox, but failing from IE7. So I cranked up the debuglevel in Apache and noticed some interesting things in the errorlog: [Mon Mar ...
Hi guys I configured modauthkerb according to the (very good) tutorial
Basic authentication was working from firefox, but failing from IE7.
So I cranked up the debuglevel in Apache and noticed some interesting
things in the errorlog:
[Mon Mar 05 15:17:03 2007] [debug] src/mod_auth_kerb.c(1172): [client
220.127.116.11] Acquiring creds for HTTP/sumo3.engr.uconn.edu@UCONN.EDU
[Mon Mar 05 15:17:03 2007] [error] [client 18.104.22.168]
gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab
matches desired name)
[Mon Mar 05 15:17:03 2007] [info] Connection to child 70 closed with
unclean shutdown(server people.engr.uconn.edu:443, client 22.214.171.124)
This was odd because our Kerberos realm is AD.ENGR.UCONN.EDU, and the
principle I created with ktpass.exe was
Why was it changing the REALM to UCONN.EDU?
My /etc/krb5.conf was pretty straightforward and in no place defined the
realm UCONN.EDU, and my .htaccess file looked like this:
AuthName "Kerberos Login"
If I changed the KrbMethodNegotiate to off, then IE7 would let me login
by typing my username and password. However, since I was logging on to
the Windows domain, I should be able to authenticate with kerberos, so I
turned KrbMethodNegotiate back on and was unable to authenticate with
IE7 again. Changing my KrbServiceName to
HTTP/sumo3.engr.uconn.edu@AD.ENGR.UCONN.EDU did the trick.
Now IE will let me authenticate without typing my password (using my TGT?)
Things are working the way I want them now. Are there any problems with
my configuration? Does anyone know how my realm got confused?
Thanks for any help!
Kerberos mailing list Kerberos@mit.edu