When I use firefox with apachegss module, after about an hour firefox has to stopped and started again to reauthenticate. in IE it asks me for my login credentials (which works in IE - not in firefox) - but still.
What is the matter here - is it the ticket lifetime in the AD somewhere, that's set too short? and if so, any hints on how to fix it?
Thank you for a great apache-extension - if I could just make it run an entire workday, without angry users :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
we added some code so that you can use SPNEGO token from Windows and GSS tokens form Linux. If you use Firefox on Linux you normaly get an error 109 as the SPNEGO parsing fails but no gssapi error. And Firefox oN windows uses SPNEGO token and you shouldn't see an error. If the ticket lifetime is too short the browser can't get the service token to forward it to the server. This means you wouldn't see an error on the server. You can check with klist -e on Linux or kerbtray on Windows what your ticket lifetime is. I will send you tomorrow a modified source so that you can save the token which creates the error and send to us for analysis the ASN.1 token structure.
Do you see the error only from Linux clients ?
Regards
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks. The problem is with firefox on windows (sorry for neglecting to mention that :) - and also IE on windows - except IE can figure out to ask the user for his windows credentials and then they are logged in.
P.S. When using firefox or IE, and you aren't allowed (ie. aren't in the required user list, you're simply shown a blank page - not the 403 as should be shown).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
find below a patch which adds the creation of two files (/tmp/token.bin and /tmp/token.base64) when an error in the spnego parser occurs. It will contain only the last token which created the error. Could you send as the token to analys the ASN.1 structure as it fail during the parsing of the structure.
Sorry I haven't been able to do something about this before now - but I'll be patching the module now, and saving the failed tickets.
It would be of great help, if you could enlighten me to as why I can login with IE (when kerberos ticket fails it fails in both browseres), but not with Firefox (it asks for auth - but it seems it can't do domain logons).
Also - I would have thought that if I authenticated with IE - I would get a new ticket - but I don't (looked in kerbtray) - and even though IE can get in after authenticating - firefox still can't (it seems it saves a kerberos ticket like it was a session cookie - if I restart IE - I have to reauth).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You have to configure Firefox as follows:
1) Type about:config as URL
2) You will see a new line called Filter. Type nego as the filter
3) You see two lines with network.negotiate-auth. Double click each and fill in the domain name of the servers for which you want to have automated domain login. (e.g.
.domain1.com,.domain2.com)
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Actually I only had the field called trusted-uri's filled out. The other one seems to have no effect. Anyone know what it does?
I have tried to fill it out, to see if it made any difference, but didn't seem to.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've emailed mammoeller at users.sf.net a failed ticket - which most definetely wasn't broken. The weird thing, is that I have a ticket for that server, according to klist (which hasn't expired) - but yet it doesn't work. It works for two other servers, where I also have tickets.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I received the token and it looked "normal". One thing we noticed is that it has a kvno of 3. Is that correct ?
Did the token produce the header error ?
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I still have this problem. To get a new domain/realm ticket I have to log off and on again, which then enables me to get a new ticket for the webservers :(
(this is on windows).
Any ideas on how to fix this? if kinit existed for windows, so I could re-authenticate as I can on Linux/OS X - that would be fine - so I wouldn't have to log off to get a new ticket.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Unfortunately it wasn't for me this morning. I also tried to purge the keys with klist purge - and then screen lock+unlock - but no go. It would not work, before I had logged off and on again :(
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi guys,
When I use firefox with apachegss module, after about an hour firefox has to stopped and started again to reauthenticate. in IE it asks me for my login credentials (which works in IE - not in firefox) - but still.
What is the matter here - is it the ticket lifetime in the AD somewhere, that's set too short? and if so, any hints on how to fix it?
Thank you for a great apache-extension - if I could just make it run an entire workday, without angry users :)
Klavs,
what are the error messages in the apache log file ?
Markus
[Mon Mar 14 08:22:58 2005] [notice] [client x.x.x.x] parseNegTokenInit failed with rc=101
[Mon Mar 14 08:22:58 2005] [notice] [client x.x.x.x] gss_accept_sec_context() failed: Token header is malformed or corrupt:
Klavs
we added some code so that you can use SPNEGO token from Windows and GSS tokens form Linux. If you use Firefox on Linux you normaly get an error 109 as the SPNEGO parsing fails but no gssapi error. And Firefox oN windows uses SPNEGO token and you shouldn't see an error. If the ticket lifetime is too short the browser can't get the service token to forward it to the server. This means you wouldn't see an error on the server. You can check with klist -e on Linux or kerbtray on Windows what your ticket lifetime is. I will send you tomorrow a modified source so that you can save the token which creates the error and send to us for analysis the ASN.1 token structure.
Do you see the error only from Linux clients ?
Regards
Markus
Thanks. The problem is with firefox on windows (sorry for neglecting to mention that :) - and also IE on windows - except IE can figure out to ask the user for his windows credentials and then they are logged in.
P.S. When using firefox or IE, and you aren't allowed (ie. aren't in the required user list, you're simply shown a blank page - not the 403 as should be shown).
I don't see a reason why firefox and IE handle the response differently, but I'll have a look at it as well.
Markus
Klavs,
if you change line 885 of mod_gss_auth_krb5.c
from
return AUTH_REQUIRED;
to
return HTTP_FORBIDDEN;
you should get the right 403 return code.
Regards
Markus
And Thank you VERY MUCH for your help.
and btw. it works perfectly for firefox on Mac OS X too :)
Klevs,
find below a patch which adds the creation of two files (/tmp/token.bin and /tmp/token.base64) when an error in the spnego parser occurs. It will contain only the last token which created the error. Could you send as the token to analys the ASN.1 structure as it fail during the parsing of the structure.
Thanks
Markus
--- mod_auth_gss_krb5.c 2005-03-15 09:57:08.000000000 +0000
+++ mod_auth_gss_krb5_n.c 2005-03-15 10:00:55.000000000 +0000
@@ -467,7 +467,31 @@
if ( rc < 100 || rc > 199 ) {
ret = HTTP_UNAUTHORIZED;
goto end;
- }
+ } else {
+ int fd;
+#define PERMS 644
+ if ((fd=creat("/tmp/token.bin",PERMS)) != -1) {
+ if ( write(fd,input_token.value,input_token.length)!=input_token.length) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
+ "Could not write token to file /tmp/token.bin");
+ }
+ close(fd);
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
+ "Could not create file /tmp/token.bin");
+ }
+ if ((fd=creat("/tmp/token.base64",PERMS)) != -1) {
+ if ( write(fd,auth_param,strlen(auth_param))!=strlen(auth_param)) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
+ "Could not write token to file /tmp/token.base64");
+ }
+ close(fd);
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
+ "Could not create file /tmp/token.base64");
+ }
+
+ }
spnego_flag=0;
} else {
input_token.length=kerberosTokenLength;
Sorry I haven't been able to do something about this before now - but I'll be patching the module now, and saving the failed tickets.
It would be of great help, if you could enlighten me to as why I can login with IE (when kerberos ticket fails it fails in both browseres), but not with Firefox (it asks for auth - but it seems it can't do domain logons).
Also - I would have thought that if I authenticated with IE - I would get a new ticket - but I don't (looked in kerbtray) - and even though IE can get in after authenticating - firefox still can't (it seems it saves a kerberos ticket like it was a session cookie - if I restart IE - I have to reauth).
Klavs
You have to configure Firefox as follows:
1) Type about:config as URL
2) You will see a new line called Filter. Type nego as the filter
3) You see two lines with network.negotiate-auth. Double click each and fill in the domain name of the servers for which you want to have automated domain login. (e.g.
.domain1.com,.domain2.com)
Markus
Actually I only had the field called trusted-uri's filled out. The other one seems to have no effect. Anyone know what it does?
I have tried to fill it out, to see if it made any difference, but didn't seem to.
I've emailed mammoeller at users.sf.net a failed ticket - which most definetely wasn't broken. The weird thing, is that I have a ticket for that server, according to klist (which hasn't expired) - but yet it doesn't work. It works for two other servers, where I also have tickets.
Klavs,
I received the token and it looked "normal". One thing we noticed is that it has a kvno of 3. Is that correct ?
Did the token produce the header error ?
Markus
I still have this problem. To get a new domain/realm ticket I have to log off and on again, which then enables me to get a new ticket for the webservers :(
(this is on windows).
Any ideas on how to fix this? if kinit existed for windows, so I could re-authenticate as I can on Linux/OS X - that would be fine - so I wouldn't have to log off to get a new ticket.
I think a screen lock and reentering the password should be enough.
Regards
Markus
Unfortunately it wasn't for me this morning. I also tried to purge the keys with klist purge - and then screen lock+unlock - but no go. It would not work, before I had logged off and on again :(