Any ideas as to what the problem might be? I verified that kpasswd works on my Linux server (where Apache is running). I'm using Apache 2.0.52 on RedHat Linux (2.4.21-27.EL) Kerberos version 1.2.7-31
Thanks in advance,
-Brian
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't think it's an NTLM token, how can I find out for sure? Here's some additional logging:
(I added a log stmt to write out the kerberos token, or at least part of it)
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: entering handleSpnegoToken
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: parseSpnegoInitialToken succeeded
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: entering handleKerberosToken
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: KRB5 service name is HTTP
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: service name HTTP selected
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: gss_import_name succeeded
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: KRB5 key tab file is /usr/local/nProcess/Apache/conf/aragorn.http.keytab
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: set KRB5_KTNAME to /usr/local/nProcess/Apache/conf/aragorn.http.keytab
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: serverName is HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released server name
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: gss_acquire_cred succeeded
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: inputKerberosToken length: 2555
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: inputKerberosToken: `\x82\t\xf7\x06\t*\x86H\x86\xf7\x12\x01\x02\x02\x01
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released credential
[Thu Jan 19 06:35:23 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API: Miscellaneous failure)
[Thu Jan 19 06:35:23 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API mechanism: Decrypt integrity check failed)
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released output token
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: handleKerberosToken returned 500
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: handleSpnegoToken returned 500
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: WWW-Authenticate value is "Negotiate YB4GBisGAQUFAqEUMBKgAwoBAKELBgkqhkiG9xIBAgI="
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: authenticateUser returning 500
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
That returns:
kinit(v5): Client not found in Kerberos database while getting initial credentials
I am using DES (at least that's what I've specified on my active directory account)
klist -e -k -t shows:
1 12/31/69 16:00:00 HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with RSA-MD5)
What have I done wrong?
Thanks,
-B
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
More information on kinit. I was able to get kinit to work with the host principal, but not the HTTP principal. For example,
kinit -k -t /etc/krb5.keytab host/aragorn.nexprise.com works fine.
kinit -k -t /etc/krb5.keytab HTTP/aragorn.nexprise.com fails with the message:
kinit(v5): Client not found in Kerberos database while getting initial credentials
Valid starting Expires Service principal
01/26/06 07:23:55 01/26/06 17:23:55 krbtgt/MYCOMPANY.LOCAL@MYCOMPANY.LOCAL
Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@aragorn logs]#
Any ideas as to why the host principal works OK but not the HTTP principal? On the Windows DC, I ran setspn -A for both host and HTTP and both host and HTTP principals are mapped to the same user account in the active directory.
Thanks,
-B
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It depends of how you have created the entry in AD.
A kinit check for the userprincipalname (UPN) attribute in AD. So if you added the HTTP/fqdn service principal name(SPN) to an account with another UPN the kinit does not work (but the keytab might still be OK to verify service tickets).
What is the UPN in AD for the host/fqdn principal ?
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have one UPN (host/aragorn.nexprise.com@MYCOMPANY.LOCAL)
that has multiple servicePrincipalName(s)
host/aragorn.nexprise.com and HTTP/aragorn.nexprise.com
Should this work OK with mod_spnego or do I need to create separate UPNs for host and HTTP?
Thanks,
-B
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes that should work. If the host and HTTP SPN share the same AD account their keys are the same. You can check this with klist -e -K -k keytab_file.
You will get something like:
1 host/moelma.wks.mm.com@KERBTEST.COM (ArcFour with HMAC/md5) (0xddc70674d4993a43346b3e8b578542f1)
1 HOST/moelma.wks.mm.com@KERBTEST.COM (ArcFour with HMAC/md5) (0xddc70674d4993a43346b3e8b578542f1)
The last entry is the key and they should be the same for host and HTTP. If not you can do the following:
Can you do a kinit with your userid ? It looks as if the configuration is wrong. If the config is correct it might be a keytab creation problem. Do you have an ldap browser (.eg. softterra) to browser active directory ? Search for (serviceprincipalname=HTTP/*) entries. This should showa that you have a serviceprincipal for HTTP/...
How did you extract the keytab ?
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can you capture the traffic on port 88 with ethereal when you do a kinit HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
Usually you should get a password prompt. Can you also check with softerra if the userprincipal in AD name is HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
Do you use w2k3 SP1 and the latest Windows ktpass ? For DES you need to set the account DESONLY (BTW latest MIT release have RC4 support which is better and you don't need to worry about the DESONLY flag)
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The userPrincipalName is aragorn@MYCOMPANY.LOCAL.
Trying kinit with that principal just hung. Ethereal gave an additional hint in that it showed a PRE_AUTH_REQUIRED response being sent back.
I'm trying this with w2k and not w2k3. Perhaps I'll try to setup a w2k3 SP1 active directory and try the latest MIT release with RC4.
Thanks for your help.
-B
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I believe I've setup my keytab correctly however I'm getting the following in the Apache log when I try to authenticate:
[Wed Jan 18 15:05:49 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API: Miscellaneous failure)
[Wed Jan 18 15:05:49 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API mechanism: Decrypt integrity check failed)
Any ideas as to what the problem might be? I verified that kpasswd works on my Linux server (where Apache is running). I'm using Apache 2.0.52 on RedHat Linux (2.4.21-27.EL) Kerberos version 1.2.7-31
Thanks in advance,
-Brian
Can you set the Apache LogLevel to debug to get more detailed messages. I assume you didn't get a Kerberos but a NTLM token.
Regards
Markus
I don't think it's an NTLM token, how can I find out for sure? Here's some additional logging:
(I added a log stmt to write out the kerberos token, or at least part of it)
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: entering handleSpnegoToken
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: parseSpnegoInitialToken succeeded
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: entering handleKerberosToken
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: KRB5 service name is HTTP
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: service name HTTP selected
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: gss_import_name succeeded
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: KRB5 key tab file is /usr/local/nProcess/Apache/conf/aragorn.http.keytab
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: set KRB5_KTNAME to /usr/local/nProcess/Apache/conf/aragorn.http.keytab
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: serverName is HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released server name
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: gss_acquire_cred succeeded
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: inputKerberosToken length: 2555
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: inputKerberosToken: `\x82\t\xf7\x06\t*\x86H\x86\xf7\x12\x01\x02\x02\x01
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released credential
[Thu Jan 19 06:35:23 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API: Miscellaneous failure)
[Thu Jan 19 06:35:23 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API mechanism: Decrypt integrity check failed)
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released output token
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: handleKerberosToken returned 500
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: handleSpnegoToken returned 500
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: WWW-Authenticate value is "Negotiate YB4GBisGAQUFAqEUMBKgAwoBAKELBgkqhkiG9xIBAgI="
[Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: authenticateUser returning 500
Can you do the following check on the keytab ?
kinit -k -t /usr/local/nProcess/Apache/conf/aragorn.http.keytab HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
to see if the keytab entry is valid. DO you use DES or RC4 ?
Markus
That returns:
kinit(v5): Client not found in Kerberos database while getting initial credentials
I am using DES (at least that's what I've specified on my active directory account)
klist -e -k -t shows:
1 12/31/69 16:00:00 HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with RSA-MD5)
What have I done wrong?
Thanks,
-B
More information on kinit. I was able to get kinit to work with the host principal, but not the HTTP principal. For example,
kinit -k -t /etc/krb5.keytab host/aragorn.nexprise.com works fine.
kinit -k -t /etc/krb5.keytab HTTP/aragorn.nexprise.com fails with the message:
kinit(v5): Client not found in Kerberos database while getting initial credentials
klist shows:
[root@aragorn logs]# klist -e -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with CRC-32)
1 HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with CRC-32)
[root@aragorn logs]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/aragorn.nexprise.com@MYCOMPANY.LOCAL
Valid starting Expires Service principal
01/26/06 07:23:55 01/26/06 17:23:55 krbtgt/MYCOMPANY.LOCAL@MYCOMPANY.LOCAL
Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@aragorn logs]#
Any ideas as to why the host principal works OK but not the HTTP principal? On the Windows DC, I ran setspn -A for both host and HTTP and both host and HTTP principals are mapped to the same user account in the active directory.
Thanks,
-B
It depends of how you have created the entry in AD.
A kinit check for the userprincipalname (UPN) attribute in AD. So if you added the HTTP/fqdn service principal name(SPN) to an account with another UPN the kinit does not work (but the keytab might still be OK to verify service tickets).
What is the UPN in AD for the host/fqdn principal ?
Markus
I have one UPN (host/aragorn.nexprise.com@MYCOMPANY.LOCAL)
that has multiple servicePrincipalName(s)
host/aragorn.nexprise.com and HTTP/aragorn.nexprise.com
Should this work OK with mod_spnego or do I need to create separate UPNs for host and HTTP?
Thanks,
-B
Yes that should work. If the host and HTTP SPN share the same AD account their keys are the same. You can check this with klist -e -K -k keytab_file.
You will get something like:
1 host/moelma.wks.mm.com@KERBTEST.COM (ArcFour with HMAC/md5) (0xddc70674d4993a43346b3e8b578542f1)
1 HOST/moelma.wks.mm.com@KERBTEST.COM (ArcFour with HMAC/md5) (0xddc70674d4993a43346b3e8b578542f1)
The last entry is the key and they should be the same for host and HTTP. If not you can do the following:
>ktutil
ktutil: addent -key -p HTTP/aragorn.nexprise.com -k 1 -e arcfour-hmac
Key for HTTP/aragorn.nexprise.com@DBG.ADS.DB.COM (hex):ddc70674d4993a43346b3e8b578542f1
ktutil: wkt HTTP.keytab
ktutil: quit
This creates a keytab with the same key.
Markus
That was it! The Hex keys were different for host and HTTP. I used ktutil as you described and I now have a working mod_spnego. Thanks for your help!
-B
Can you do a kinit with your userid ? It looks as if the configuration is wrong. If the config is correct it might be a keytab creation problem. Do you have an ldap browser (.eg. softterra) to browser active directory ? Search for (serviceprincipalname=HTTP/*) entries. This should showa that you have a serviceprincipal for HTTP/...
How did you extract the keytab ?
Markus
I followed instructions from the MSDN article on SPNEGO. I used:
setspn -A HTTP/aragorn.nexprise.com aragorn
to create the SPN. Then used ktpass to produce the keytab:
ktpass -princ HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL -pass * -mapuser aragorn -out c:\temp\aragorn.http.keytab
Then I transferred the file over to my Linux server using 'scp'.
Searching as you suggested in softterra shows CN=aragorn,CN=Users,DC=mycompany,DC=local
which looks correct to me
Thanks,
-B
Can you capture the traffic on port 88 with ethereal when you do a kinit HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
Usually you should get a password prompt. Can you also check with softerra if the userprincipal in AD name is HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
Do you use w2k3 SP1 and the latest Windows ktpass ? For DES you need to set the account DESONLY (BTW latest MIT release have RC4 support which is better and you don't need to worry about the DESONLY flag)
Markus
The userPrincipalName is aragorn@MYCOMPANY.LOCAL.
Trying kinit with that principal just hung. Ethereal gave an additional hint in that it showed a PRE_AUTH_REQUIRED response being sent back.
I'm trying this with w2k and not w2k3. Perhaps I'll try to setup a w2k3 SP1 active directory and try the latest MIT release with RC4.
Thanks for your help.
-B
If you use w2k set the account desonly, change the password once and then do the ktpass extraction.
Markus
I've already tried that (several times) to no avail.
Then I don't know what else you can do. It looks to me that you have not the right key in your keytab.
Can you try the latest ktpass (the one for w2k3) with RC4. The w2k3 version of ktpass supports RC4-HMAC and should work with w2k too.
Markus
You may want to try a tool like
http://www.pppl.gov/~dperry/msktutil.tar.gz to create the keytab directly on your Unix box.
Markus