Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: apache-mod_auth Client didn't delegate us their credential |
|
| Author |
|
yrakkesh
Joined: 25 Sep 2013
Posts: 1
Location: hyderabad
|
 Posted: Wed 25 Sep '13 21:27 Post subject: apache-mod_auth Client didn't delegate us their credential |
 |
|
I am trying to setup Integrated Windows authentication with kerberos using ActiveDirectory in windows server 2008 and everything works well and I am able to get kerberos tickets on successful login. I am facing problem in forwarding this ticket to server where Apache is configured. When forwading ticket KRB5CCNAME is not set in Apache/PHP environment variables.
My kerberos configuration file(krb5.conf) is
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DIVAMI.COM
default_keytab_file = /etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DIVAMI.COM = {
kdc = meluha.divami.com:88
admin_server = meluha.divami.com:749
default_domain = divami.com
}
[domain_realm]
meluha.divami.com = DIVAMI.COM
divami.com = DIVAMI.COM
Apache mod_auth_kerb configuration file(auth_kerb) is
<Location /perfmon>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DIVAMI.COM
Krb5KeyTab /etc/httpd/conf.d/apache.keytab
KrbSaveCredentials On
KrbServiceName HTTP/greenplum.divami.com
require valid-user
ErrorDocument 404 "No favicon"
</Location>
Browser configuration
Firefox
Set network.negotiate-auth.delegation-uris to greenplum.divami.com.
Set network.negotiate-auth.trusted-uris to greenplum.divami.com
IE
In Internet Explorer, select Tools > Internet Options.
In the Local Internet (Advanced) dialog box, enter all relative domain names that will be used on the intranet (e.g. greenplum.divami.com).
When I set KrbMethodK5Passwd On,then browser prompt for kerberos username and password on giving valid credentials ticket is generated and it's cached location is set in Apache/PHP environment variable KRB5CCNAME. Using this variable KRB5CCNAME we can use kerberos ticket that is forwaded as credential for authentication.
I am getting following error message when KrbMethodK5Passwd Off.
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1278): [client 10.81.17.156] Acquiring creds for HTTP/greenplum.divami.com
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1707): [client 10.81.17.156] Client didn't delegate us their credential
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1726): [client 10.81.17.156] GSS-API token of length 180 bytes will be sent back
plum.divami.com/perfmon/login.php
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API , referer:http://greenplum.divami.com/perfmon/login.php
I have no idea whether browser fails in picking kerberos ticket or browser picks the ticket but unable to set cached location in KRB5CCNAME.
please help me in solving this issue. |
|
| Back to top |
|
|
|
|
|
|
