Re: Kerberos Digest, Vol 190, Issue 10

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Digest, Vol 190, Issue 10

Sanjay Kumar Sahu
HI !

Currently we are facing Kerberos authentication issue in our RHEL7 server
running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously
it's Crypto type=all. Please check following with the details.

We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application
MediaWiki 1.30.0 running in Apache/2.4
And we never face any issue related to kerberos authentication till then we
used the keytab with following cipher algorithm in the encryption method.
(des-cbc-crc)
(des-cbc-md5)
(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

Later, the DES crypto type is catagoried in weak crypto type and it's
denied to use in Produciton for security reason.

And we are asked to use the keytab using Advanced Encryption Standard (AES)
Cryptography with either of types (AES128 or AES265) for following cipher
algorithm.

(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
or AES265) are working under Apache/2.4 and throws following error in HTTPD
server Error_log.


Error_log
-----------------
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
provide more information (, No key table entry found for the SPN)

Please let us know if there is any solution to resolve the issue for
kerberos.

On Sun, Oct 21, 2018 at 9:32 PM <[hidden email]> wrote:

> Send Kerberos mailing list submissions to
>         [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help' to
>         [hidden email]
>
> You can reach the person managing the list at
>         [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Kerberos digest..."
>
>
> Today's Topics:
>
>    1. Make Windows Firefox Use Ticket gained via OpenConnect VPN
>       Connection (chiasa.men)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 Oct 2018 22:09:57 +0200
> From: "chiasa.men" <[hidden email]>
> Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN
>         Connection
> To: [hidden email]
> Message-ID: <25678829.3fpAYYNG7q@march>
> Content-Type: text/plain; charset="utf-8"
>
> I have an openconnect server where I can login with kerberos credentials
> (the
> vpn server basically also works as proxy to the kdc within said vpn - more
> detailed description: https://access.redhat.com/blogs/766093/posts/1976663
> )
>
> Now I can connect with a windows machine (using openconnect-gui) with my
> kerberos credentials. Which works.
>
> The next step shall be to use the gained ticket further for webservices
> within
> that vpn. How can I tell the browser (e.g. Firefox) to use the ticket
> gained
> by openconnect? Is there any way to achieve this?
>
> I also installed the MIT Kerberos Ticket Manager for Windows. Here
> (https://
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> windows-workstation-to-hd.html
> <http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html>)
> is desribed that it is possible to use that
> Manager with firefox in order to authenticate to webservices. Although I
> haven't been able to accomplish that, would it be possible to tell MIT
> Kerberos Ticket Manager to use the Ticket of the vpn login?
>
> Is there already a 'usual way' to achieve something like sso via vpn with
> kerberos with windows clients?
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 190, Issue 10
> *****************************************
>


--
*Thanks & Regards,*


*Sanjay Kumar Sahu*
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Digest, Vol 190, Issue 10

Todd Grayson
Sanjay this is confusing for you to reply to the kerberos digest email with
your own issue.  Create a new email with its own subject for your question.

Please send an email directly to the [hidden email] list.

On Mon, Oct 22, 2018, 7:52 AM Sanjay Kumar Sahu <[hidden email]>
wrote:

> HI !
>
> Currently we are facing Kerberos authentication issue in our RHEL7 server
> running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously
> it's Crypto type=all. Please check following with the details.
>
> We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application
> MediaWiki 1.30.0 running in Apache/2.4
> And we never face any issue related to kerberos authentication till then we
> used the keytab with following cipher algorithm in the encryption method.
> (des-cbc-crc)
> (des-cbc-md5)
> (aes256-cts-hmac-sha1-96)
> (aes128-cts-hmac-sha1-96)
>
> Later, the DES crypto type is catagoried in weak crypto type and it's
> denied to use in Produciton for security reason.
>
> And we are asked to use the keytab using Advanced Encryption Standard (AES)
> Cryptography with either of types (AES128 or AES265) for following cipher
> algorithm.
>
> (aes256-cts-hmac-sha1-96)
> (aes128-cts-hmac-sha1-96)
>
> But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
> or AES265) are working under Apache/2.4 and throws following error in HTTPD
> server Error_log.
>
>
> Error_log
> -----------------
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
> provide more information (, No key table entry found for the SPN)
>
> Please let us know if there is any solution to resolve the issue for
> kerberos.
>
> On Sun, Oct 21, 2018 at 9:32 PM <[hidden email]> wrote:
>
> > Send Kerberos mailing list submissions to
> >         [hidden email]
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://mailman.mit.edu/mailman/listinfo/kerberos
> > or, via email, send a message with subject or body 'help' to
> >         [hidden email]
> >
> > You can reach the person managing the list at
> >         [hidden email]
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Kerberos digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Make Windows Firefox Use Ticket gained via OpenConnect VPN
> >       Connection (chiasa.men)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sat, 20 Oct 2018 22:09:57 +0200
> > From: "chiasa.men" <[hidden email]>
> > Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN
> >         Connection
> > To: [hidden email]
> > Message-ID: <25678829.3fpAYYNG7q@march>
> > Content-Type: text/plain; charset="utf-8"
> >
> > I have an openconnect server where I can login with kerberos credentials
> > (the
> > vpn server basically also works as proxy to the kdc within said vpn -
> more
> > detailed description:
> https://access.redhat.com/blogs/766093/posts/1976663
> > )
> >
> > Now I can connect with a windows machine (using openconnect-gui) with my
> > kerberos credentials. Which works.
> >
> > The next step shall be to use the gained ticket further for webservices
> > within
> > that vpn. How can I tell the browser (e.g. Firefox) to use the ticket
> > gained
> > by openconnect? Is there any way to achieve this?
> >
> > I also installed the MIT Kerberos Ticket Manager for Windows. Here
> > (https://
> >
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> > windows-workstation-to-hd.html
> > <
> http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html
> >)
> > is desribed that it is possible to use that
> > Manager with firefox in order to authenticate to webservices. Although I
> > haven't been able to accomplish that, would it be possible to tell MIT
> > Kerberos Ticket Manager to use the Ticket of the vpn login?
> >
> > Is there already a 'usual way' to achieve something like sso via vpn with
> > kerberos with windows clients?
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Kerberos mailing list
> > [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > End of Kerberos Digest, Vol 190, Issue 10
> > *****************************************
> >
>
>
> --
> *Thanks & Regards,*
>
>
> *Sanjay Kumar Sahu*
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos