Topic: 'mod_auth_kerb' authentication issue with Kerberos

[sksahu]

HI,
Please check below is the configuration for our application(MediaWiki 1.25.3) with Apache/2.2.15(Unix) envs.
a) Meidawiki application configured with SSO verifying authentication with Kerberos server.
b) MediaWIKI has setup for SSL/TLS to ensure a secure connection.
c) Below are 5 types of Cryptos(encryption types) earlier used in the keytab file to establish a successful Kerberos authentication using a single SPN.
• (des-cbc-crc)
• (des-cbc-md5)
• (arcfour-hmac)
• (aes256-cts-hmac-sha1-96)
• (aes128-cts-hmac-sha1-96)
d) Following is Kerberos configuration in 'httpd.conf'
<Location "/wiki">
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms realarmname
KrbServiceName HOST/wiki.com@realarmname
Krb5Keytab /etc/httpd/conf/keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping On
KrbVerifyKDC off
Require valid-user
ErrorDocument 401 /cgi-bin/r.cgi
</Location>
e) Kerberos 5 version 1.10.3
f) Apache/2.2.15(Unix), PHP 5.3.3 (apache2handler) & MySQL 5.1.73


As per corporate policy, now weak Cryptos are no longer supported and it's denied. We generated the new Keytab(binary file) using following Strong Crypto types in KDC server.
• (aes256-cts-hmac-sha1-96)
• (aes128-cts-hmac-sha1-96)

Now, we are having issue/problem with authentication. The kerberos authentication could not be resumed and throws following error in Apache error log.
• gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )


Following ERROR was tracked in browser while executing WIKI url in Mozilla.
• This site can’t be reached
• The webpage at https://wikitest.com/wiki/ might be temporarily down or it may have moved permanently to a new web address.
• ERR_ACCESS_DENIED


=========== WORKAROUND done in following couple of configuration files after initialization of the new keytab (binary file)=============
The new keytab with Cyrpto type(aes256-cts-hmac-sha1-96) has been initialized and meanwhile we got the TGT from KDC server which lists the latest KVNO and couple of SPNs used.

1. Changed Configuration for 'ssl.conf'
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on

2. Changed Configuration for 'Krb5.conf'
Below are the workaround
Added below Configuration in 'etc/' for supporting crypto aes256-cts-hmac-sha1-96/aes128-cts-hmac-sha1-96 [kerberos clientconfig]
default_keytab_name = FILE:/etc/httpd/conf/st-vwikidev.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96

After all of above configuration change in the RHL server still we could not able to resume kerberos authentication in our server.

Please let us know if Apache/2.2.15 supports for Strong Crypto type: aes256-cts-hmac-sha1-96 to be validated through mod_auth_kerb module? Or do we require to updagrade Apache 2.4 version to support for this Strong crypto? please help/suggest in regards it's highly appreciated.


Thanks in Adv.
Sanjay