Re: [modauthkerb] Keytab not readable? Can't authenticate workstation for SSO
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Keytab not readable? Can't authenticate workstation for SSO
|
From: Martin Y. <yve...@el...> - 2013-11-01 15:57:20
|
Hello Douglas, Personally, the "service account" I created for SPN and keytab generation is also used to authenticate LDAP queries... As far as password does not expire and is correct, I discover no troubles about it. To sum up for Jim, here are some tasks I think about: - if the "user account" holding the SPN and used to generate keytab is not a specific service account, it is worth to delete it and create it again... - create a dedicated "service account" (standard account but dedicated to Kerberos SSO) in AD and create keytab - check and clean duplicates SPN - do not use default location /etc/krb5.keytab but (for instance) /etc/apache2/http-arecord.keytab - validates SPN with kinit/kvno: $ kinit MeMyselfI $ kvno HTTP/arecord.mysite.com $ kdestroy $ kinit HTTP/arecord.mysite.com => check password authentication with "service account" password $ kdestroy $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com => is equivalent to the previous one but password comes from keytab If all that diagnostic steps pass, there is no reason Apache2 cannot accept your token from your browser... Or else you have a big trouble in Apache2/mod_auth_kerb. You should provide use with details about it. For a reason I have not found yet, few months ago, with Debian Wheezy mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" to get my system to load keytab. It no longer "guess" expected SPN probably because our network was in a migration from one domain to another. I just checked and that trick is no longer required, defaults works. Hope this helps -- Yves Martin |
