Re: [modauthkerb] Please help me getting single sign on working with IE10
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Please help me getting single sign on working with IE10
|
From: Jim F. <jim...@an...> - 2014-03-30 21:52:18
|
Hey Andrew, Please see my comments inline below: On Sat, Mar 29, 2014 at 5:42 PM, Andrew Wilkins <and...@gm...>wrote: > Hi I am looking for some help with sso for drupal using kerbos with apache > on an active directory domain, with windows 7 clients using IE10 > > I assume you are using the LDAP module: https://drupal.org/project/ldap? Single Sign On aside, are users able to authenticate to your Drupal site with their Active Directory (AD) credentials? > I have setup following this guide > > http://www.grolmsnet.de/kerbtut/ > It's good that you're using this guide. The closer you can stick to it, the better. It really helped me in the past. > > i have used ktpass to generate the keytab, originally using rc4-hmac-nt as > the crypto type, but read that it might not work with windows 7 by default > now, so have tried it with crypto ALL > > I used "/crypto RC4-HMAC-NT" when creating a keytab for my Drupal SSO setup and it worked with Windows 7. I can't guarantee it would always work, but can confirm it worked for me. > I am still receiving the following error in the logs. > > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos module. Check your IE configuration. > Is this information coming from your Apache error logs? Is there any more context? > > I understand this error can be misleading, as you will sometimes get it > when it's not a client config problem as when kerberos files it sends the > NTLM ticket anyway > > should a keytab which has been generated with all the available crypto > types just work sorting out the crypto type with the client , or do i need > to do something to make it work? > Unfortunately I don't know the answer to this. However, since you've created a keytab a couple of times now with different encryption types, it may be worth double checking that you don't have duplicate SPN's. Try running the following in the command line on your Active Directory DC: "setspn -q HTTP/arecord.yoursite.com <http://arecord.mysite.com/>" (obviously put in your own fqdn) > > Also something i am a little unclear on is do i need to have any local > tickets loaded for the keytab to work or does the module handle getting > it's own tickets ? > Try signing into your windows 7 workstation that you want to SSO. Open up the command line and run "klist". This should show your Ticket Granting Ticket (TGT) and possibly a few service tickets for other windows authentication. Your windows 7 workstation will try to access your Drupal site anonymously initially. So you won't see a ticket for that specific service until you try to hit your site: https://cname.yoursite.com/user/login/sso. Once you hit that URL, given that your browser is configured properly, try running klist again and see if you can see a ticket for that specific service. > > the guide has me testing using > kinit user@domain > which successfully makes a ticket > and later > kinit -k -t /keytabfile PRINCPLE/fqdn > again this successfully creates a ticket > > are they purely for testing, or would either of them need to be renewed > when they expire ? > The first command is getting you a TGT from the Key Distribution Center (KDC) - i.e. your Active Directory. The second is checking if your keytab file on your Drupal server is working. The fact that it completes without error is a good sign. This is used for testing, so don't worry about renewing these specific tickets. Each workstation will get its own TGT through the Authentication Service (AS) during login and (hopefully) get a valid ticket for your service from the Ticket Grant Service (TGS) when you try to access your site. Don't worry about the AS and TGS. They are both part of the KDC and should be set up automatically with Active Directory. The steps you mentioned above are important to make sure that AD is sending tickets for the correct service that can be validated correctly against your keytab file. You can also make sure your Key Version Number (KVNO) for your ticket matches the KVNO in your keytab: kvno HTTP/arecord.mysite.com Then check it against your keytab KVNO: klist -k More importantly in your case, check that the encryption types match: klist -e Check this against your keytab: klist -e -k -t /path/to/your/keytab/krb5.keytab > > ------------------------------------------------------------------------------ > > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > |
