Re: [modauthkerb] Invalid token was supplied (No error)
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Invalid token was supplied (No error)
|
From: Edsall, W. (WJ) <WJE...@do...> - 2011-07-22 00:17:11
|
Hello, We are definitely using 'windows integrated authentication'. From what I gather this is the checkbox for sending Kerberos tickets, right? From: Eric Levita [mailto:eri...@st...] Sent: Thursday, July 21, 2011 12:26 PM To: Edsall, William (WJ); mod...@li... Subject: RE: Invalid token was supplied (No error) Make sure your sending a Kerberos ticket ntlm makes that module puke. Find the setting in IE and your set. From: Edsall, William (WJ) [mailto:WJE...@do...] Sent: Thursday, July 21, 2011 10:56 AM To: mod...@li... Subject: [modauthkerb] Invalid token was supplied (No error) Hello list, We're having issues authenticating to apache with mod_auth_kerb. Kinit/klist/kdestroy seem to work fine for a domain user account however we cannot authenticate via internet explorer. I'm hoping someone is available to troubleshoot with us. Note: I replaced most of our domain names with site.com. Should the 'Acquiring creds' match an exact principal in klist -ke? Here is the debug log we get when trying to hit the website: [Thu Jul 21 11:21:01 2011] [debug] src/mod_auth_kerb.c(1432): [client 163.198.30.13] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jul 21 11:21:02 2011] [debug] src/mod_auth_kerb.c(1432): [client 163.198.30.13] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jul 21 11:21:02 2011] [debug] src/mod_auth_kerb.c(1147): [client 163.198.30.13] Acquiring creds for HTTP@centrum [Thu Jul 21 11:21:02 2011] [debug] src/mod_auth_kerb.c(1266): [client 163.198.30.13] Verifying client data using KRB5 GSS-API [Thu Jul 21 11:21:02 2011] [debug] src/mod_auth_kerb.c(1282): [client 163.198.30.13] Verification returned code 589824 [Thu Jul 21 11:21:02 2011] [debug] src/mod_auth_kerb.c(1309): [client 163.198.30.13] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. [Thu Jul 21 11:21:02 2011] [error] [client 163.198.30.13] gss_accept_sec_context() failed: Invalid token was supplied (No error) Our apache config: # Connect Apache and Tomcat <Location /site> ProxyPass ajp://127.0.0.1:8009/ site flushpackets=on ProxyPassReverse ajp://127.0.0.1:8009/ site AuthName "Portal" AuthType Kerberos KrbAuthRealms SITE.COM Require valid-user KrbMethodNegotiate On #KrbMethodK5Passwd Off #KrbServiceName HTTP/ce...@SI... #KrbVerifyKDC off #ErrorDocument 401 /HTTP_UNAUTHORIZED.html </Location> Our krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SITE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SITE.COM = { kdc = <server> admin_server = <server> default_domain = site.com } [domain_realm] .site.com = SITE.COM site.com = SITE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [root@centrum etc]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------------------ -- 19 host/cen...@si... (DES cbc mode with CRC-32) 19 host/cen...@si... (DES cbc mode with RSA-MD5) 19 host/cen...@si... (ArcFour with HMAC/md5) 19 host/ce...@si... (DES cbc mode with CRC-32) 19 host/ce...@si... (DES cbc mode with RSA-MD5) 19 host/ce...@si... (ArcFour with HMAC/md5) 19 CENTRUM$@site.com (DES cbc mode with CRC-32) 19 CENTRUM$@site.com (DES cbc mode with RSA-MD5) 19 CENTRUM$@site.com (ArcFour with HMAC/md5) 19 HTTP/cen...@si... (DES cbc mode with CRC-32) 19 HTTP/cen...@si... (DES cbc mode with RSA-MD5) 19 HTTP/cen...@si... (ArcFour with HMAC/md5) 19 HTTP/ce...@si... (DES cbc mode with CRC-32) 19 HTTP/ce...@si... (DES cbc mode with RSA-MD5) 19 HTTP/ce...@si... (ArcFour with HMAC/md5) _______________________________________ William J. Edsall |
