apache - Kerberos SSO with mod_auth_kerb: Verification code 589824 and Token seems to be NTLM -


i've run difficulties kerberizing host, t.p.no. i'm follwing http://grolmsnet.de/kerbtut, have worked others kerberizing host not added windows domain.

the problem seems client ntlm tokens reason.

i'll go through setup , state of server , test client:

server

environment:

os centos 5.9,

kerberos, apache , mod_auth_kerb installed yum:

httpd.x86_64                              2.2.3-76.el5.centos          installed httpd-devel.i386                          2.2.3-76.el5.centos          installed httpd-devel.x86_64                        2.2.3-76.el5.centos          installed  mod_auth_kerb.x86_64                      5.1-5.el5                    installed  krb5-devel.x86_64                         1.6.1-70.el5                 installed krb5-libs.i386                            1.6.1-70.el5                 installed krb5-libs.x86_64                          1.6.1-70.el5                 installed krb5-workstation.x86_64                   1.6.1-70.el5                 installed pam_krb5.i386                             2.2.14-22.el5                installed pam_krb5.x86_64                           2.2.14-22.el5                installed

kdc/dc windows server 2003 sp2

kerberos:

i've had domain admin create ad account , run ktpass map spn account with:

ktpass.exe /princ http/t.p.no@testsone2.p.local /mapuser testsone2\user  /crypto des-cbc-md5 +desonly /pass *** /ptype krb5_nt_principal /out t.keytab

on server/host im trying kerberize, i've done verify kerberos configured properly:

# kinit -v jhs@testsone2.p.local password jhs@testsone2.p.local:  authenticated kerberos v5  # klist ticket cache: file:/tmp/krb5cc_0 default principal: jhs@testsone2.p.local  valid starting     expires            service principal 05/13/13 15:32:13  05/14/13 01:32:17  krbtgt/testsone2.p.local@testsone2.p.local   renew until 05/14/13 15:32:13   kerberos 4 ticket cache: /tmp/tkt0 klist: have no tickets cached

and i've checked kdc sends me tickets principal:

# kvno http/t.p.no@testsone2.p.local http/t.p.no@testsone2.p.local: kvno = 9  # klist -e ticket cache: file:/tmp/krb5cc_0 default principal: jhs@testsone2.p.local  valid starting     expires            service principal 05/13/13 15:32:13  05/14/13 01:32:17  krbtgt/testsone2.p.local@testsone2.p.local   renew until 05/14/13 15:32:13, etype (skey, tkt): arcfour hmac/md5, arcfour hmac/md5  05/13/13 15:34:27  05/14/13 01:32:17  http/t.p.no@testsone2.p.local   renew until 05/14/13 15:32:13, etype (skey, tkt): des cbc mode crc-32, des cbc mode rsa-md5   kerberos 4 ticket cache: /tmp/tkt0 klist: have no tickets cached

the kvno matches 1 in keytab:

# ktutil  ktutil: rkt t.keytab ktutil: l slot kvno principal ---- ---- ---------------------------------------------------------------------    1    9 http/t.p.no@testsone2.p.local

t.p.no a-record resolving ip address reverse-resolves t.p.no

this virtual host config, it's simple passenger-served rails app. tested working before adding location section authentication-related directives:

<virtualhost *:80>   documentroot /home/p/testapp/public   servername t.p.no    rackenv staging   railsenv staging    <directory /home/p/testapp/public>     options -multiviews   </directory>    <location />     authtype kerberos     authname "logg inn"     krbmethodnegotiate on     krbmethodk5passwd off     krbauthrealms testsone2.p.local     krbservicename http # no difference if using full spn here     krb5keytab /etc/httpd/keys/t.keytab     require valid-user   </location>    loglevel debug   customlog logs/t.p.no-access_log combined_forwarded   errorlog logs/t.p.no-error_log  </virtualhost>

when client enters t.p.no in internet explorer, apache logs following:

[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered user (null) , auth_type kerberos [debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered user (null) , auth_type kerberos [debug] src/mod_auth_kerb.c(1151): [client 139.x.x.201] acquiring creds http/t.p.no@testsone2.p.local [debug] src/mod_auth_kerb.c(1270): [client 139.x.x.201] verifying client data using krb5 gss-api [debug] src/mod_auth_kerb.c(1286): [client 139.x.x.201] verification returned code 589824 [debug] src/mod_auth_kerb.c(1313): [client 139.x.x.201] warning: received token seems ntlm, isn't supported kerberos module. check ie configuration. [error] [client 139.116.152.201] gss_accept_sec_context() failed: invalid token supplied (no error)

client

os: windows server 2008 sp1

the ie has iwa enabled , http://t.p.no added list of intranet hosts.

on client, when attempting access t.p.no, i'm seeing 2 requests in fiddler, in first, client sends no authentication-headers, server responds status 401 , header www-authenticate: negotiate.

in second request, client sends header: authorization: negotiate [token data] in auth-tab in fiddler token data shown:

-[ntlm type1: negotiation]------------------------------ provider: ntlmssp type: 1 os version: 6.1:7601 flags:  0xe2088297     unicode supported in security buffer.     oem strings supported in security buffer.     request server's authentication realm included in type2 reply.     sign (integrity)     ntlm authentication.     negotiate sign.     negotiate ntlm2 key.     supports 56-bit encryption.     supports 128-bit encryption.     client provide master key in type 3 session key field. domain_offset: 0; domain_length: 0; domain_length2: 0 host_offset: 0; host_length: 0; host_length2: 0 host:  domain:  ------------------------------------

all in finding out cause ntlm tokens being sent appreciated!

as mentioned, test client 2008 server r2. article (http://support.microsoft.com/kb/977321) pertaining windows 7 clients , windows server 2008 r2 states des encryption kerberos authentication disabled default in these products.

i followed steps in article re-enable des on client, kdc 2003, should still support des. authentication succeeded.


Comments

Post a Comment

Popular posts from this blog

php - mySql Join with 4 tables -

select * web_user e inner join web_audio ce on ce.uid = e.uid inner join web_videos c on c.uid = e.uid inner join web_images d on d.uid = e.uid e.uid = '1' we have scenario have 4 tables , want fetch records on basis of uid web_user table rest of tables fetch records on basis of web_user uid. have 6 records database. returning 8 time. below response of mysql query. uid ufname ulname uemail username upassword uaddress ucity ustate uzipcode uphone uimage usertype ugenre website biography uverifycode featured activate ustatus upaid aid uid a_filename a_uploadname a_genre a_singername a_approve a_price vid uid v_filename v_uploadname v_short_desc v_singername v_approve v_price iid uid upload_file i_approve ========================== 1 muhammad mohsin mohsin@balianti.com mohsin 213123 test addresss 0 1 40100 333-2335-5555 fds_896_autumn-mist.jpg 1 6 null null 202cb962ac59075b964b07152d234b70 1 1 1 1 1 1 asd muhammad_709.mp3 5 asd 0 0.00 1 1 test video muhammad_578.flv ...
Read more

css - Text drops down with smaller window -

i've adapted css use in website , can't quite figure out why 1 aspect of page acting way acting. basically, when shrink window below size horizontally, of text "drops down". becomes issue if user viewing website through ipad vertical orientation. can view issue here . i'm hoping make if window gets smaller, placement of text remains intact. the problem area not have enough space put both side navigation , content on 1 line. make automatically adjust page's width when exceeds decrements of width. this code example, , highly unlikely work. if see css more clearly, provide exact code. @media , (max-width:960px) { /* assuming #wrapper 960px across */ #content {width:560px;} /* opposed 720px */ } edit the content drops down @ 980px, have shrink width after there. @media , (max-width:980px) { #container {width:520px;} }
Read more

c# - DetailsView in ASP.Net - How to add another column on the side/add a control in each row? -

i have detailsview control on page used edit various fields of record, works in respect. i looking way add 1 column (and if works, why not more) right, absolutely read-only, show same fields of record comparison purposes. i aware there no obvious way such thing out of box detailsview . have looked other controls (transposed gridview , recommended formview , listview ), nothing satisfies. have special data binding setup using detailsview , can't out of without losing features. anyone on how "hack in" additional columns (for display only) on detailsview ? the solution have now, use second detailsview , visible set false in aspx. in code, make sure databind hidden detailsview hosts data third column first, initial detailsview named itemdetails . and in item created event, pass third column html rendering of hidden controls (in last code block) : protected void itemdetails_itemcreated(object sender, eventargs e) { if (dataite...
Read more