Re: [modauthkerb] SSO stopped working for vhosts

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

 Hello,

If you can still kinit with keytab, the keytab encryption is not the
issue - by the way I often create keytab with only one encryption
included to be "sure".

My opinion is that the issue comes from your browser, according to NTLM
warnings you report. I invite you to check with both IE and Firefox
browsers.

If Firefox works well as far as it is configured to do spnego for your
DNS domain name, you should try to enough your domain as "Local
intranet" security zones.

If possible, use krbtray to check for TGS SPN in workstation kerberos
cache and Wireshark to collect HTTP traffic when accessing your
application, it will decode Kerberos WWW-Authentication token if
present.

Regards
-- 
Yves Martin

On Mon, 2015-07-20 at 12:25 +0100, Andrew Wilkins wrote:
> I think i have got to the bottom of the cause of my problem
> 
> 
> A windows update 
> https://technet.microsoft.com/library/security/3057154
> 
> has disabled DES which was one of the cryptos i had enabled 
> 
> 
> It is very hard to tell what is actually going on
> But i have found of the remaining woking cryptos i have RC4, AES256
> and AES128
> and they are in that order in the keytab, 
> RC4 seems to be troublesome for some windows users, and AES256 does
> not seem to be supported by the GSSAPI (v 2.1.25 i think)
> so my suspicion is that these users are getting a AES256 ticket and
> windows is expecting it to work but i can't figure a way to confirm it
> 
> 
> Windows has some user crypto options, but they don't actually seem to
> do anything on my test server
> 
> On 16 July 2015 at 23:16, Andrew Wilkins <and...@gm...>
> wrote:
>         Hi
>         
>         
>         I have an ubuntu 12.04 box hosting a drupal intranet with sso
>         authentication using kerberos 
>         
>         
>         It was working without any problems, for around 18 months
>         during which time the config has been left unchanged 
>         
>         
>         We now have a login problem which started a couple of days
>         ago, a lot of users can't login with SSO so have to go to the
>         manual login page to gain access.
>         User access the site via a couple of different urls, the
>         domains are cnames of the actual server hostname, the users
>         which are affected seem to be able to login if connected to
>         the webserver directly via it's fqdn, 
>         The apache debug logs do not give me anything helpful, they
>         show the error warning received token seems to be NTLM , which
>         seems to be what happened when kerberos fails, it falls back
>         and tries ntlm, this was the error we usually got in testing
>         until the config was exactly right.
>         
>         
>         I can still kinit with the keytab, and the KVNO still matches,
>         can anyone think of any further check i can be doing or think
>         of any reason it might have suddenly stopped working ?
>         
>         
>         I don't have admin access to the AD servers, but have setup my
>         own to test with and cannot recreate the problem.
>         