I'm trying to get this module working on a FreeBSD 4.11 with apache 1.3.33. I've followed http://www.onlamp.com/lpt/a/4171 and the module compiled fine, but when trying to connect to it - it only says "gss_accept_sec_context() failed: Wrong principal in request" - and I don't get anything in my event logs on windows :(
Any help is apprecitated - and I can enable a DEBUG mode or anything, I'll gladly do that, if you tell me how :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1) The hostname in the ticket doesn't match the hostname in the ticket.
So you have to check that the DNS resolution is correct, e.g. that your /etc/hosts file has an entry like:
10.10.10.10 fqdn shorthostname
(if nsswitch is set to file, bind for hosts)
It is important that the fqdn comes first.
2) The service name is not the same. Check that the service name is HTTP (uppercase)
3) The encryption type doesn't match
Use kerbtray from the w2k3 resource kit(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en) to list the used tickets and their encryption type which should match the one in the keytab (use klist -ekt http.keytab to list)
4) With w2k3 the key version number is incrementable. Make sure that the kvno in AD is the same as in your keytab. I remember there were some ktpass updates too.
Markus
A second problem can be that you use a w2k3 server as kdc which supports key version numbers and ktpass didn't.
You can use kerbtray to check the ticket and the encryption type used.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I started kerbtray, and it showed me it used the dns realmname - in uppercase (and not the netbios name). I tried using that, and voila - I can authenticate.
My only problem is now, that my IE (on a W2K - not w2k3 client) does not automatically forward a kerberos ticket (I'm assuming it has one - haven't found a kerbtray for w2k) - so I have to enter my username/password :(
If I get it to forward the kerberos ticket - would it be safe to do that over HTTP - afterall the ticket is encrypted? as long as I don't permit basic auth - but only those who have a kerbticket?
Thank you for your help so far.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I found a ressourcekit for win2k and can see my user@REALM "client principal" and a lot of keys(Service Principals it seems) in the scroll window below. I can not however see a service principal for my webserver - not even after I've accessed it (on https - though an invalid https cert which I just accept - but I suppose that's OK ?).
Any debugging hints is very much appreciated :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
An oddity is also - if I access the webserver via http - it does NOT ask for domain (but does say "KRB5 Realm" as config is setup for) - and when using https it does ask for domain also.
Also - it doesn't work in http - it says:
Server not found in Kerberos database
which would seem that IE6 is refusing to do Kerberos auth over HTTP (which to me seems fair I guess - unless it can just forward the ticket which AFAIK should be safe) ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes - IE is configured to use integrated windows auth - and it works too. When the ticket expires (I guess that's what happens) the user is asked for a password both on IE and in firefox. In IE it works - in Firefox it just keeps asking (It seems it's not able to send a Realm along etc. - it says invalid realm or something in the logs).
I'm not able to test today unfortunately - but I'll apply the patches ASAP and come back to you.
Thank you for your quick responses.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'm trying to get this module working on a FreeBSD 4.11 with apache 1.3.33. I've followed http://www.onlamp.com/lpt/a/4171 and the module compiled fine, but when trying to connect to it - it only says "gss_accept_sec_context() failed: Wrong principal in request" - and I don't get anything in my event logs on windows :(
Any help is apprecitated - and I can enable a DEBUG mode or anything, I'll gladly do that, if you tell me how :)
btw. I've installed MIT-kerberos on the client, and I've set /etc/krb5.conf (and /usr/local/etc/krb5.conf) to my domain etc. (the one in CAPITALS).
Klavs,
this can have several reasons.
1) The hostname in the ticket doesn't match the hostname in the ticket.
So you have to check that the DNS resolution is correct, e.g. that your /etc/hosts file has an entry like:
10.10.10.10 fqdn shorthostname
(if nsswitch is set to file, bind for hosts)
It is important that the fqdn comes first.
2) The service name is not the same. Check that the service name is HTTP (uppercase)
3) The encryption type doesn't match
Use kerbtray from the w2k3 resource kit(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en) to list the used tickets and their encryption type which should match the one in the keytab (use klist -ekt http.keytab to list)
4) With w2k3 the key version number is incrementable. Make sure that the kvno in AD is the same as in your keytab. I remember there were some ktpass updates too.
Markus
A second problem can be that you use a w2k3 server as kdc which supports key version numbers and ktpass didn't.
You can use kerbtray to check the ticket and the encryption type used.
Hi Markus,
Thank you for your tips.
I started kerbtray, and it showed me it used the dns realmname - in uppercase (and not the netbios name). I tried using that, and voila - I can authenticate.
My only problem is now, that my IE (on a W2K - not w2k3 client) does not automatically forward a kerberos ticket (I'm assuming it has one - haven't found a kerbtray for w2k) - so I have to enter my username/password :(
If I get it to forward the kerberos ticket - would it be safe to do that over HTTP - afterall the ticket is encrypted? as long as I don't permit basic auth - but only those who have a kerbticket?
Thank you for your help so far.
I found a ressourcekit for win2k and can see my user@REALM "client principal" and a lot of keys(Service Principals it seems) in the scroll window below. I can not however see a service principal for my webserver - not even after I've accessed it (on https - though an invalid https cert which I just accept - but I suppose that's OK ?).
Any debugging hints is very much appreciated :)
An oddity is also - if I access the webserver via http - it does NOT ask for domain (but does say "KRB5 Realm" as config is setup for) - and when using https it does ask for domain also.
Also - it doesn't work in http - it says:
Server not found in Kerberos database
which would seem that IE6 is refusing to do Kerberos auth over HTTP (which to me seems fair I guess - unless it can just forward the ticket which AFAIK should be safe) ?
Klavs,
I missed your last responses. Did you check that on w2k IE is configured to use integrated windows authentication ?
Regards
Markus
Yes - IE is configured to use integrated windows auth - and it works too. When the ticket expires (I guess that's what happens) the user is asked for a password both on IE and in firefox. In IE it works - in Firefox it just keeps asking (It seems it's not able to send a Realm along etc. - it says invalid realm or something in the logs).
I'm not able to test today unfortunately - but I'll apply the patches ASAP and come back to you.
Thank you for your quick responses.