RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory - Problem

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory - Problem

Jellbauer Jakob
hello list,

i´ve problems getting this combination , RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory, to work.

my way:

- i´ve created a new user on a 2003 Domaincontroller
- used the (2003) ktpass tool to create the usermapping
- merged it with the existing keytab file with only "DES cbc mode with RSA-MD5" Principals

now i can get a ticket trough:





>kinit -S  HTTP/myserver.mydomain-websrvdmz.de

>klist -e
Ticket cache: FILE:/tmp/krb5cc_6024
Default principal: HTTP/[hidden email]

Valid starting     Expires            Service principal
08/25/05 13:13:46  08/25/05 23:13:50  krbtgt/[hidden email]
        renew until 08/26/05 13:13:46, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5







but when i try to make a SSO via Internet Explorer i get this in the apache errorlog:

... gss_accept_sec_context() failed: Miscellaneous failure (Decrypt integrity check failed) ...
... failed to verify krb5 credentials: Decrypt integrity check failed  ...



i have purged my tickets already and i dont have any enctypes specified in my krb5.conf



in general , is it possible to get this combination to work?



greetings and thanks

jakob



-
Jakob Jellbauer
Network & System Engineer
Information Technology
Interhyp AG | Parkstadt Schwabing  Marcel-Breuer-Str. 18  80807 München
Telefon: 089-76 77 21 47 | Telefax: 089-76 77 251 47  | Mobil: 0151-16 70 19 16
mailto:[hidden email] | www.interhyp.de




________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory -Problem

Markus Moeller
Jakob,

if I understand right you have created a new HTTP/server principal with RC4
encryption and merged it with  DES only principals. Are the DES only
principals also for HTTP/server ? Do you have the DES only flag set on the
account ?

Did you use a password with the keytab tool, which would make any prviously
extracted key invalid.

I would need some answers to the above question to understand better what
you did. In principal you can use RC4-hmac.

Regards
Markus


""Jellbauer Jakob"" <[hidden email]> wrote in message
news:[hidden email]...

> hello list,
>
> i?ve problems getting this combination , RC4-HMAC-MD5 with
> Apache2/mod_auth_kerb and ActiveDirectory, to work.
>
> my way:
>
> - i?ve created a new user on a 2003 Domaincontroller
> - used the (2003) ktpass tool to create the usermapping
> - merged it with the existing keytab file with only "DES cbc mode with
> RSA-MD5" Principals
>
> now i can get a ticket trough:
>
>
>
>
>
>>kinit -S  HTTP/myserver.mydomain-websrvdmz.de
>
>>klist -e
> Ticket cache: FILE:/tmp/krb5cc_6024
> Default principal: HTTP/[hidden email]
>
> Valid starting     Expires            Service principal
> 08/25/05 13:13:46  08/25/05 23:13:50  krbtgt/[hidden email]
>        renew until 08/26/05 13:13:46, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
>
>
>
>
>
>
>
> but when i try to make a SSO via Internet Explorer i get this in the
> apache errorlog:
>
> ... gss_accept_sec_context() failed: Miscellaneous failure (Decrypt
> integrity check failed) ...
> ... failed to verify krb5 credentials: Decrypt integrity check failed  ...
>
>
>
> i have purged my tickets already and i dont have any enctypes specified in
> my krb5.conf
>
>
>
> in general , is it possible to get this combination to work?
>
>
>
> greetings and thanks
>
> jakob
>
>
>
> -
> Jakob Jellbauer
> Network & System Engineer
> Information Technology
> Interhyp AG | Parkstadt Schwabing  Marcel-Breuer-Str. 18  80807 M?nchen
> Telefon: 089-76 77 21 47 | Telefax: 089-76 77 251 47  | Mobil: 0151-16 70
> 19 16
> mailto:[hidden email] | www.interhyp.de
>
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos