- Apache 2.x with mod_spnego and SSL installed, configured, and running.
- FireFox 1.5 (on Redhat Fedora Core 4)
- Kerberos v5 installed and configured.
I can successfully authenticate to the KDC via a kinit and I have valid keytab file in /etc/krb5.keytab.
I've configured the protected user directories like so:
and then I use Firefox to access the protected directory, but it fails with the following:
[Tue Jan 17 16:17:09 2006] [info] [client 134.9.14.20] mod_spnego: entering authenticateUser
[Tue Jan 17 16:17:09 2006] [info] [client 134.9.14.20] mod_spnego: sending 401 and "WWW-Authenticate: Negotiate"
It seems that Firefox does not send an Authorization header after the 401. IE and Firefox on WINDOWS do this automatically, but they use NTLM tokens, not SPNEGO tokens.
Any ideas would be greatly appreciated.
Thanks!
Konstantin
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yep, I successfully did a kinit on Linux prior to starting Firefox. klist shows that I have TGT. I've also tried using SSL connection (I have SSL enabled and configured), but I get the same results:
[Tue Jan 17 16:17:09 2006] [info] [client 10.10.1.4] mod_spnego: entering authenticateUser
[Tue Jan 17 16:17:09 2006] [info] [client 10.10.1.4] mod_spnego: sending 401 and "WWW-Authenticate: Negotiate"
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
I mentioned Windows previously because I thought it may be useful information. The Windows client is not on the domain with the kdc...so that's it doesn't have Kerberos credentials.
Konstantin
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can you capture the traffic on port 88 with ethereal ? You should see the client system to send a request to the kdc fot HTTP/fqdn.
If not try to the follwowing too:
1) kinit HTTP/fqdn -k /etc/krb5.keytab. (BTW. I assu me the apache process can read /etc/krb5/keytab. Usually you use another keytab for the HTTP/fqdn principal because you don't want to give anybody eles than root access to /etc/krb5/keytab) and the a klist -e which should show that you have a TGT for HTTP/fqdn. This proves you have a HTTP/fqdn entry with the right password in the keytab.
2) If that fails try kinit HTTP/fqdn. An error here shows that the kdc doesn't have a principal for HTTP/fqdn. If it asks for a password, then the password in the keytab is wrong.
3) Make sure /etc/hosts has
IP fqdn shorthostname
and NOT
IP shorthosname fqdn
Regards
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi folks,
I have the following setup:
- Apache 2.x with mod_spnego and SSL installed, configured, and running.
- FireFox 1.5 (on Redhat Fedora Core 4)
- Kerberos v5 installed and configured.
I can successfully authenticate to the KDC via a kinit and I have valid keytab file in /etc/krb5.keytab.
I've configured the protected user directories like so:
UserDir public_html
<Directory /home/*/public_html>
AllowOverride AuthConfig Indexes
...
Krb5KeyTabFile /etc/krb5.keytab
Krb5ServiceName http
</Directory>
Inside the user directory, I have one .htaccess file with the following contents:
AuthType SPNEGO
Require valid-user
I successfully get credentials on the client with a kinit and I have configured the two Firefox variables with the FQDN of the http server:
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
and then I use Firefox to access the protected directory, but it fails with the following:
[Tue Jan 17 16:17:09 2006] [info] [client 134.9.14.20] mod_spnego: entering authenticateUser
[Tue Jan 17 16:17:09 2006] [info] [client 134.9.14.20] mod_spnego: sending 401 and "WWW-Authenticate: Negotiate"
It seems that Firefox does not send an Authorization header after the 401. IE and Firefox on WINDOWS do this automatically, but they use NTLM tokens, not SPNEGO tokens.
Any ideas would be greatly appreciated.
Thanks!
Konstantin
Is your Windows system on the domain with the kdc ?
Did you do a kinit on Unix before starting Firefox ?
Markus
Hi Markus,
Yep, I successfully did a kinit on Linux prior to starting Firefox. klist shows that I have TGT. I've also tried using SSL connection (I have SSL enabled and configured), but I get the same results:
[Tue Jan 17 16:17:09 2006] [info] [client 10.10.1.4] mod_spnego: entering authenticateUser
[Tue Jan 17 16:17:09 2006] [info] [client 10.10.1.4] mod_spnego: sending 401 and "WWW-Authenticate: Negotiate"
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
I mentioned Windows previously because I thought it may be useful information. The Windows client is not on the domain with the kdc...so that's it doesn't have Kerberos credentials.
Konstantin
Can you capture the traffic on port 88 with ethereal ? You should see the client system to send a request to the kdc fot HTTP/fqdn.
If not try to the follwowing too:
1) kinit HTTP/fqdn -k /etc/krb5.keytab. (BTW. I assu me the apache process can read /etc/krb5/keytab. Usually you use another keytab for the HTTP/fqdn principal because you don't want to give anybody eles than root access to /etc/krb5/keytab) and the a klist -e which should show that you have a TGT for HTTP/fqdn. This proves you have a HTTP/fqdn entry with the right password in the keytab.
2) If that fails try kinit HTTP/fqdn. An error here shows that the kdc doesn't have a principal for HTTP/fqdn. If it asks for a password, then the password in the keytab is wrong.
3) Make sure /etc/hosts has
IP fqdn shorthostname
and NOT
IP shorthosname fqdn
Regards
Markus
those are good ideas. I'm going to investigate further and let you know any results.
Can you also set the Apache LogLevel to debug.
Markus