I opened a support call with Microsoft and got an reply that they don't
support kerberos authentication if the webserver is Apache even the client
is XP-IE. They only support IE-IIS combination.

Going back to NTLM is not an option.

I can provide ethereal trace if anyone is interested in it.
I followed the exact instructions as mentioned in
http://www.grolmsnet.de/kerbtut/
I guess, being able to do seamless SSO for first 2 days is a proof that the
keytab and the rest of the configuration is correct.

Does anyone has implemented this solution without any issues ?

--Sriram


SriramG wrote:
>
> All,
>
> We are using Apache2 with mod_auth_kerb.
>
> Red Hat Enterprise Linux AS release 3 (2.4.21-40.Elsmp)
> Apache 2.0.49 (fork)
> mod_auth_kerb-5.3
> MIT Kerberos Version 5, Release 1.5.2
> Windows XP sp2 (desktop).
>
>
> 1. User logs on to their desktop.
> 2. I can see TGT using kerbtray.
> 3. Everything works fine for 2 days.
> 4. Right from the 3rd day users starts getting basic auth box when they
> try to access the site.
>
> Apache logs
> =========
> [Mon Apr 09 10:03:25 2007] [info] Initial (No.1) HTTPS request received
> for child 1 (server lxdm14545.corp.mycompany.com:443)
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1474): [client
> 10.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type
> Kerberos
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1161): [client
> 10.X.X.X] Acquiring creds for HTTP@lxdm14545.corp.mycompany.com
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1305): [client
> 10.X.X.X] Verifying client data using KRB5 GSS-API
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1321): [client
> 10.X.X.X] Verification returned code 589824
> [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1348): [client
> 10.X.X.X] Warning: received token seems to be NTLM, which isn't
> supported by the Kerberos module. Check your IE configuration.
> [Mon Apr 09 10:03:25 2007] [error] [client 10.X.X.X]
> gss_accept_sec_context() failed: Invalid token was supplied (No error)
> [Mon Apr 09 10:03:25 2007] [info] Connection to child 1 closed with
> unclean shutdown(server lxdm14545.corp.mycompany.com:443, client
> 10.X.X.X)
>
> On the kerbtray I can see a valid ticket (non-expired).
> If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
> working fine again.
>
> I used ethereal to see what's happening.
>
> On successful auth: IE is sending Authorization : Negotiate
> On failure auth:IE is sending Authorization : NTLMSSP (without even try
> using GSSAPI)
>
> Does anyone know what triggers Windows XP to stop doing kerb auth
> (GSSAPI) and switch to NTLM.
>
> Its weird that its working fine for couple of days and starts
> mis-behaving this way.
> Once in a while I see this error on Desktop's event viewer. There is no
> pattern in the time interval between the errors.
>
> The Security System could not establish a secured connection with the
> server
> ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com@corp.mycompany.com.
> No authentication protocol was available.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> I verified that we have reverse DNS look up setup properly.
>
> This seems to be a more of an issue on the XP side.
>
> Any help on this regard will be appreciated
>
> Thanks
> --Sriram
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--
View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10025814
Sent from the Kerberos - General mailing list archive at Nabble.com.

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

> > On the kerbtray I can see a valid ticket (non-expired).
> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
> > working fine again.

The TGT is expiring. TGT tickets have a "cumulative ticket life" that
is limited by ticket renewal policy. When it expires the secret key is
required to get a new one (e.g. the password via ctrl-alt-del).

Look at the Renew Until field in kerbtray. Note that kerbtray does not
update automatically. You must close it and relaunch it for it to update
the information. I think you'll find that the Renew Until time is about
2 days.

By default Windows will lock the desktop after a short time of inactivity
so you're seeing this problem because you have somehow bypassed that
policy. Or you have been working for two days straight in which case
you have bigger problems than Kerberos ticket renewal policies - you
need a new employer ;-)

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Allen,

Thanks for you response.
1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1 hour).
But, its not consistent.
2. If I leave my desktop idle for 10 mins, out corporate policy locks the
desktop, but it doesn’t create a new ticket when I unlock it.
Not sure if that’s controlled by GPO.
3. For sure it creates a new TGT or renews the TGT when I manually lock and
unlock.

Next time when this happens I will run the klist and check the ticket
EndTime.

I was able to confirmed that, if the server is IIS it switch to NTLM on this
scenario, where as mod_auth_kerb doesn’t support NTLM.

Actually we are seeing the same symptoms as mentioned in the KB article.
http://support.microsoft.com/kb/885887
But the DLL version I have here is 5.1.2600.2698. Which is higher than whats
mentioned on the article.

--Sriram


Michael B Allen wrote:
>
>> > On the kerbtray I can see a valid ticket (non-expired).
>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
>> > working fine again.
>
> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
> is limited by ticket renewal policy. When it expires the secret key is
> required to get a new one (e.g. the password via ctrl-alt-del).
>
> Look at the Renew Until field in kerbtray. Note that kerbtray does not
> update automatically. You must close it and relaunch it for it to update
> the information. I think you'll find that the Renew Until time is about
> 2 days.
>
> By default Windows will lock the desktop after a short time of inactivity
> so you're seeing this problem because you have somehow bypassed that
> policy. Or you have been working for two days straight in which case
> you have bigger problems than Kerberos ticket renewal policies - you
> need a new employer ;-)
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--
View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10028733
Sent from the Kerberos - General mailing list archive at Nabble.com.


________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Allen,

Thanks for you response.
1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
hour). But, its not consistant.
2. If I leave my desktop idle for 10 mins, out corporate policy locks
the desktop, but it doesn't create a new ticket when I unlock it.
Not sure if that's controlled by GPO.
3. For sure it creates a new TGT or renews the TGT when I manually lock
and unlock.

Next time when this happens I will run the klist and check the ticket
EndTime.

I was able to confirmed that, if the server is IIS it switch to NTLM on
this scenario, where as mod_auth_kerb doesn't support NTLM.

Actually we are seeing the same sympotms as mentioned in the KB article.
http://support.microsoft.com/kb/885887
But the DLL version I have here is 5.1.2600.2698. Which is higher than
whats mentioned on the article.

--Sriram

-----Original Message-----
From: Michael B Allen [mailto:mba2000@ioplex.com]
Sent: Monday, April 16, 2007 4:56 PM
To: Gopalan, Sriram
Cc: kerberos@mit.edu
Subject: Re: Mod_auth_kerb and Windows XP SP2

> > On the kerbtray I can see a valid ticket (non-expired).
> > If the user locks the desktop(ctrl-alt-del) and unlocks it its
> > starts working fine again.

The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
limited by ticket renewal policy. When it expires the secret key is
required to get a new one (e.g. the password via ctrl-alt-del).

Look at the Renew Until field in kerbtray. Note that kerbtray does not
update automatically. You must close it and relaunch it for it to update
the information. I think you'll find that the Renew Until time is about
2 days.

By default Windows will lock the desktop after a short time of
inactivity so you're seeing this problem because you have somehow
bypassed that policy. Or you have been working for two days straight in
which case you have bigger problems than Kerberos ticket renewal
policies - you need a new employer ;-)

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

On Mon, 16 Apr 2007 23:34:42 -0400
"Gopalan, Sriram" wrote:

> Allen,
>
> Thanks for you response.
> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
> hour). But, its not consistant.
> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
> the desktop, but it doesn't create a new ticket when I unlock it.
> Not sure if that's controlled by GPO.
> 3. For sure it creates a new TGT or renews the TGT when I manually lock
> and unlock.

This sounds like a completely different problem which has been discussed
on the mod_auth_kerb list previously. And for which there was no
resolution.

> Next time when this happens I will run the klist and check the ticket
> EndTime.
>
> I was able to confirmed that, if the server is IIS it switch to NTLM on
> this scenario, where as mod_auth_kerb doesn't support NTLM.

If you can reproduce the problem with IIS that sounds like precedence
for requesting an explaination from MS.

> Actually we are seeing the same sympotms as mentioned in the KB article.
> http://support.microsoft.com/kb/885887
> But the DLL version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.

This sounds like a simple domain controller availability issue. Perhaps
mod_auth_kerb or libkrb5 could benifit from some retry capability.

Mike

> -----Original Message-----
> From: Michael B Allen [mailto:mba2000@ioplex.com]
> Sent: Monday, April 16, 2007 4:56 PM
> To: Gopalan, Sriram
> Cc: kerberos@mit.edu
> Subject: Re: Mod_auth_kerb and Windows XP SP2
>
> > > On the kerbtray I can see a valid ticket (non-expired).
> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
> > > starts working fine again.
>
> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
> limited by ticket renewal policy. When it expires the secret key is
> required to get a new one (e.g. the password via ctrl-alt-del).
>
> Look at the Renew Until field in kerbtray. Note that kerbtray does not
> update automatically. You must close it and relaunch it for it to update
> the information. I think you'll find that the Renew Until time is about
> 2 days.
>
> By default Windows will lock the desktop after a short time of
> inactivity so you're seeing this problem because you have somehow
> bypassed that policy. Or you have been working for two days straight in
> which case you have bigger problems than Kerberos ticket renewal
> policies - you need a new employer ;-)
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>


--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Ok again this morning, I started to get prompted.
I unlocked my PC today. But it didn't renew my ticket.

Here is my klist (The site I am trying to access is
mychannele.corp.mycompany.com)

C:\Program Files\Resource Kit>date /t
Tue 04/17/2007

C:\Program Files\Resource Kit>time /t
09:14 AM

C:\Program Files\Resource Kit>klist tickets

Cached Tickets: (7)

Server: krbtgt/CORP.MYCOMPANY.COM@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


Server: krbtgt/CORP.MYCOMPANY.COM@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


Server: SFO1DC1$@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


Server:
ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


Server: LXDM14545$@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


Server: HTTP/mychannele.corp.mycompany.com@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


Server: SFO1-GFS6LB1$@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58


C:\Program Files\Resource Kit>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: sgopalan
DomainName: CORP.MYCOMPANY.COM?
TargetDomainName: CORP.MYCOMPANY.COM?
AltTargetDomainName: CORP.MYCOMPANY.COM?
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:8048
StartTime: 4/17/2007 1:10:58
EndTime: 4/17/2007 11:10:58
RenewUntil: 4/24/2007 1:10:58
TimeSkew: 4/24/2007 1:10:58


--Sriram

C:\Program Files\Resource Kit>

Michael B Allen wrote:
>
> On Mon, 16 Apr 2007 23:34:42 -0400
> "Gopalan, Sriram" wrote:
>
>> Allen,
>>
>> Thanks for you response.
>> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
>> hour). But, its not consistant.
>> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
>> the desktop, but it doesn't create a new ticket when I unlock it.
>> Not sure if that's controlled by GPO.
>> 3. For sure it creates a new TGT or renews the TGT when I manually lock
>> and unlock.
>
> This sounds like a completely different problem which has been discussed
> on the mod_auth_kerb list previously. And for which there was no
> resolution.
>
>> Next time when this happens I will run the klist and check the ticket
>> EndTime.
>>
>> I was able to confirmed that, if the server is IIS it switch to NTLM on
>> this scenario, where as mod_auth_kerb doesn't support NTLM.
>
> If you can reproduce the problem with IIS that sounds like precedence
> for requesting an explaination from MS.
>
>> Actually we are seeing the same sympotms as mentioned in the KB article.
>> http://support.microsoft.com/kb/885887
>> But the DLL version I have here is 5.1.2600.2698. Which is higher than
>> whats mentioned on the article.
>
> This sounds like a simple domain controller availability issue. Perhaps
> mod_auth_kerb or libkrb5 could benifit from some retry capability.
>
> Mike
>
>> -----Original Message-----
>> From: Michael B Allen [mailto:mba2000@ioplex.com]
>> Sent: Monday, April 16, 2007 4:56 PM
>> To: Gopalan, Sriram
>> Cc: kerberos@mit.edu
>> Subject: Re: Mod_auth_kerb and Windows XP SP2
>>
>> > > On the kerbtray I can see a valid ticket (non-expired).
>> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
>> > > starts working fine again.
>>
>> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
>> limited by ticket renewal policy. When it expires the secret key is
>> required to get a new one (e.g. the password via ctrl-alt-del).
>>
>> Look at the Renew Until field in kerbtray. Note that kerbtray does not
>> update automatically. You must close it and relaunch it for it to update
>> the information. I think you'll find that the Renew Until time is about
>> 2 days.
>>
>> By default Windows will lock the desktop after a short time of
>> inactivity so you're seeing this problem because you have somehow
>> bypassed that policy. Or you have been working for two days straight in
>> which case you have bigger problems than Kerberos ticket renewal
>> policies - you need a new employer ;-)
>>
>> Mike
>>
>> --
>> Michael B Allen
>> PHP Active Directory Kerberos SSO
>> http://www.ioplex.com/
>>
>
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--
View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10039103
Sent from the Kerberos - General mailing list archive at Nabble.com.

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Just wanted to update back, if anyone ends up with this issue.

We contacted MS they provided a hotfix as mentioned on the KB

http://support.microsoft.com/kb/906524/en-us

We have installed in 3 desktops. No more authentication prompts. It works
every single time. No issues so far (10 days). I haven't rebooted or logged
off the desktop yet in the last 10 days. I just lockout the desktop when I
am not using it.

We are planning to push this to 100+ desktops next week. Will post back the
results.

--Sriram



SriramG wrote:
>
> Allen,
>
> Thanks for you response.
> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
> hour). But, its not consistent.
> 2. If I leave my desktop idle for 10 mins, out corporate policy locks the
> desktop, but it doesn’t create a new ticket when I unlock it.
> Not sure if that’s controlled by GPO.
> 3. For sure it creates a new TGT or renews the TGT when I manually lock
> and unlock.
>
> Next time when this happens I will run the klist and check the ticket
> EndTime.
>
> I was able to confirmed that, if the server is IIS it switch to NTLM on
> this scenario, where as mod_auth_kerb doesn’t support NTLM.
>
> Actually we are seeing the same symptoms as mentioned in the KB article.
> http://support.microsoft.com/kb/885887
> But the DLL version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.
>
> --Sriram
>
>
> Michael B Allen wrote:
>>
>>> > On the kerbtray I can see a valid ticket (non-expired).
>>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
>>> > working fine again.
>>
>> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
>> is limited by ticket renewal policy. When it expires the secret key is
>> required to get a new one (e.g. the password via ctrl-alt-del).
>>
>> Look at the Renew Until field in kerbtray. Note that kerbtray does not
>> update automatically. You must close it and relaunch it for it to update
>> the information. I think you'll find that the Renew Until time is about
>> 2 days.
>>
>> By default Windows will lock the desktop after a short time of inactivity
>> so you're seeing this problem because you have somehow bypassed that
>> policy. Or you have been working for two days straight in which case
>> you have bigger problems than Kerberos ticket renewal policies - you
>> need a new employer ;-)
>>
>> Mike
>>
>> --
>> Michael B Allen
>> PHP Active Directory Kerberos SSO
>> http://www.ioplex.com/
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
>

--
View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10279081
Sent from the Kerberos - General mailing list archive at Nabble.com.


________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Good job Sriram. I'm cc-ing the mod_auth_kerb list. They were talking about
this issue a while back.

Mike

On Tue, 1 May 2007 19:08:05 -0700 (PDT)
SriramG wrote:

> Just wanted to update back, if anyone ends up with this issue.
>
> We contacted MS they provided a hotfix as mentioned on the KB
>
> http://support.microsoft.com/kb/906524/en-us
>
> We have installed in 3 desktops. No more authentication prompts. It works
> every single time. No issues so far (10 days). I haven't rebooted or logged
> off the desktop yet in the last 10 days. I just lockout the desktop when I
> am not using it.
>
> We are planning to push this to 100+ desktops next week. Will post back the
> results.
>
> --Sriram
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos