Hi guys I configured modauthkerb according to the (very good) tutorial
http://www.grolmsnet.de/kerbtut

Basic authentication was working from firefox, but failing from IE7.
So I cranked up the debuglevel in Apache and noticed some interesting
things in the errorlog:

[Mon Mar 05 15:17:03 2007] [debug] src/mod_auth_kerb.c(1172): [client
137.99.2.73] Acquiring creds for HTTP/sumo3.engr.uconn.edu@UCONN.EDU
[Mon Mar 05 15:17:03 2007] [error] [client 137.99.2.73]
gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab
matches desired name)
[Mon Mar 05 15:17:03 2007] [info] Connection to child 70 closed with
unclean shutdown(server people.engr.uconn.edu:443, client 137.99.2.73)
[Mo

This was odd because our Kerberos realm is AD.ENGR.UCONN.EDU, and the
principle I created with ktpass.exe was
HTTP/sumo3.engr.uconn.edu@AD.ENGR.UCONN.EDU
Why was it changing the REALM to UCONN.EDU?

My /etc/krb5.conf was pretty straightforward and in no place defined the
realm UCONN.EDU, and my .htaccess file looked like this:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms AD.ENGR.UCONN.EDU
KrbServiceName HTTP
KrbVerifyKDC off
KrbMethodNegotiate on
KrbSaveCredentials off
Krb5Keytab /etc/krb5.keytab
require valid-user


If I changed the KrbMethodNegotiate to off, then IE7 would let me login
by typing my username and password. However, since I was logging on to
the Windows domain, I should be able to authenticate with kerberos, so I
turned KrbMethodNegotiate back on and was unable to authenticate with
IE7 again. Changing my KrbServiceName to
HTTP/sumo3.engr.uconn.edu@AD.ENGR.UCONN.EDU did the trick.
Now IE will let me authenticate without typing my password (using my TGT?)

Things are working the way I want them now. Are there any problems with
my configuration? Does anyone know how my realm got confused?

Thanks for any help!

Rohit

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos