logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: 'mod_auth_kerb' authentication issue with Kerberos
Author
sksahu



Joined: 18 Sep 2017
Posts: 1
Location: India, Bangalore

PostPosted: Mon 18 Sep '17 16:54    Post subject: 'mod_auth_kerb' authentication issue with Kerberos Reply with quote

HI,
Please check below is the configuration for our application(MediaWiki 1.25.3) with Apache/2.2.15(Unix) envs.
a) Meidawiki application configured with SSO verifying authentication with Kerberos server.
b) MediaWIKI has setup for SSL/TLS to ensure a secure connection.
c) Below are 5 types of Cryptos(encryption types) earlier used in the keytab file to establish a successful Kerberos authentication using a single SPN.
• (des-cbc-crc)
• (des-cbc-md5)
• (arcfour-hmac)
• (aes256-cts-hmac-sha1-96)
• (aes128-cts-hmac-sha1-96)
d) Following is Kerberos configuration in 'httpd.conf'
<Location "/wiki">
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms realarmname
KrbServiceName HOST/wiki.com@realarmname
Krb5Keytab /etc/httpd/conf/keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping On
KrbVerifyKDC off
Require valid-user
ErrorDocument 401 /cgi-bin/r.cgi
</Location>
e) Kerberos 5 version 1.10.3
f) Apache/2.2.15(Unix), PHP 5.3.3 (apache2handler) & MySQL 5.1.73


As per corporate policy, now weak Cryptos are no longer supported and it's denied. We generated the new Keytab(binary file) using following Strong Crypto types in KDC server.
• (aes256-cts-hmac-sha1-96)
• (aes128-cts-hmac-sha1-96)

Now, we are having issue/problem with authentication. The kerberos authentication could not be resumed and throws following error in Apache error log.
• gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )


Following ERROR was tracked in browser while executing WIKI url in Mozilla.
• This site can’t be reached
• The webpage at https://wikitest.com/wiki/ might be temporarily down or it may have moved permanently to a new web address.
• ERR_ACCESS_DENIED


=========== WORKAROUND done in following couple of configuration files after initialization of the new keytab (binary file)=============
The new keytab with Cyrpto type(aes256-cts-hmac-sha1-96) has been initialized and meanwhile we got the TGT from KDC server which lists the latest KVNO and couple of SPNs used.

1. Changed Configuration for 'ssl.conf'
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on

2. Changed Configuration for 'Krb5.conf'
Below are the workaround
Added below Configuration in 'etc/' for supporting crypto aes256-cts-hmac-sha1-96/aes128-cts-hmac-sha1-96 [kerberos clientconfig]
default_keytab_name = FILE:/etc/httpd/conf/st-vwikidev.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96

After all of above configuration change in the RHL server still we could not able to resume kerberos authentication in our server.

Please let us know if Apache/2.2.15 supports for Strong Crypto type: aes256-cts-hmac-sha1-96 to be validated through mod_auth_kerb module? Or do we require to updagrade Apache 2.4 version to support for this Strong crypto? please help/suggest in regards it's highly appreciated.


Thanks in Adv.
Sanjay
Back to top


Reply to topic   Topic: 'mod_auth_kerb' authentication issue with Kerberos View previous topic :: View next topic
Post new topic   Forum Index -> Apache