kerberos and web authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos and web authentication

Rita
I created a user keytab. I use curl to authenticate against a web server.
`curl -u : --negotitate` it works randomly (about 33% accuracy). I am
trying to figure out if its a webserver issue or kerberos issue. Is there
anything else I can do?

--
--- Get your facts first, then you can distort them as you please.--
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos and web authentication

Benjamin Kaduk-2
On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> I created a user keytab. I use curl to authenticate against a web server.
> `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> trying to figure out if its a webserver issue or kerberos issue. Is there
> anything else I can do?

There's (at least) a couple things that can come into play for this sort of
scenario (not least because HTTP Negotiate violates some fundamental
assumptions about message- vs. connection-oriented):

Does the web server's hostname have multiple IP addresses in the DNS?  (Is
reverse DNS used for principal canonicalization by the krb5 library?  The
default is "yes" in many versions.)

Does the web server have a pool of backend servers behind a load balancer?

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos and web authentication

Rita
hi

The webserver has DNS aliases but not multiple IPs. On a client level is it
possible to disable the reverse lookup? I am not sure if its backed up a
pool of servers -- is there a way to find out from a client?

On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk <[hidden email]> wrote:

> On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> > I created a user keytab. I use curl to authenticate against a web server.
> > `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> > trying to figure out if its a webserver issue or kerberos issue. Is there
> > anything else I can do?
>
> There's (at least) a couple things that can come into play for this sort of
> scenario (not least because HTTP Negotiate violates some fundamental
> assumptions about message- vs. connection-oriented):
>
> Does the web server's hostname have multiple IP addresses in the DNS?  (Is
> reverse DNS used for principal canonicalization by the krb5 library?  The
> default is "yes" in many versions.)
>
> Does the web server have a pool of backend servers behind a load balancer?
>
> -Ben
>


--
--- Get your facts first, then you can distort them as you please.--
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos and web authentication

Benjamin Kaduk-2
On Fri, Aug 21, 2020 at 08:04:24PM -0400, Rita wrote:
> hi
>
> The webserver has DNS aliases but not multiple IPs. On a client level is it

(temporarily) forcing the name to resolve to just a single IP, e.g., via
/etc/hosts, would be one possible diagnostic measure.

> possible to disable the reverse lookup? I am not sure if its backed up a

See the 'rdns' keyword at
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#libdefaults

> pool of servers -- is there a way to find out from a client?

In general, no; one can make inferences from careful inspection of response
headers, request/response timing for exchanges that require server-side
state, and the like, but it may require some expertise to interpret the
results.

-Ben

> On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk <[hidden email]> wrote:
>
> > On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> > > I created a user keytab. I use curl to authenticate against a web server.
> > > `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> > > trying to figure out if its a webserver issue or kerberos issue. Is there
> > > anything else I can do?
> >
> > There's (at least) a couple things that can come into play for this sort of
> > scenario (not least because HTTP Negotiate violates some fundamental
> > assumptions about message- vs. connection-oriented):
> >
> > Does the web server's hostname have multiple IP addresses in the DNS?  (Is
> > reverse DNS used for principal canonicalization by the krb5 library?  The
> > default is "yes" in many versions.)
> >
> > Does the web server have a pool of backend servers behind a load balancer?
> >
> > -Ben
> >
>
>
> --
> --- Get your facts first, then you can distort them as you please.--
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos