kerberos authentication for apache on windows

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos authentication for apache on windows

Julien ALLANOS
Hello,

I'm new to kerberos, and I want to know if the following configuration is
possible:

I have an Apache2 web server running on Windows 2003 Server, and I want to
authenticate users with kerberos before they can access to the web server
content. The kdc service seems to be up and running on the Windows 2003 server.

1/ how can I check that a client (Windows XP) that has just logged into the
domain, has been given a TGT?

Now I have to "kerberize" the Apache server. I found mod_auth_krb
(http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
headers and libs for a Kerberos implementation.

2/ Can I use Windows implementation to compile it? Or do I have to install
another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
build it?

3/ How can I be sure only Kerberos is used (and not NTLM)?

Thanks for any information.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

kl (Bugzilla)
Hi Julien,

I have it working with the modgssapache module - although I'm not sure
that apache module works on anything but Unix (I've used it on FreeBSD
without problems).

The nice thing about it, is that it supports single-sign-on - as I
understand it, mod_auth_kerb does not.

on 06/02/05 12:48 Julien ALLANOS wrote:

> Hello,
>
> I'm new to kerberos, and I want to know if the following configuration is
> possible:
>
> I have an Apache2 web server running on Windows 2003 Server, and I want to
> authenticate users with kerberos before they can access to the web server
> content. The kdc service seems to be up and running on the Windows 2003 server.
>
> 1/ how can I check that a client (Windows XP) that has just logged into the
> domain, has been given a TGT?
>
> Now I have to "kerberize" the Apache server. I found mod_auth_krb
> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
> headers and libs for a Kerberos implementation.
>
> 2/ Can I use Windows implementation to compile it? Or do I have to install
> another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
> build it?
>
> 3/ How can I be sure only Kerberos is used (and not NTLM)?
>
> Thanks for any information.

--
Regards,
Klavs Klavsen, GSEC - [hidden email] - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

Jeffrey Altman-3
In reply to this post by Julien ALLANOS
Julien ALLANOS wrote:

> Hello,
>
> I'm new to kerberos, and I want to know if the following configuration is
> possible:
>
> I have an Apache2 web server running on Windows 2003 Server, and I want to
> authenticate users with kerberos before they can access to the web server
> content. The kdc service seems to be up and running on the Windows 2003 server.
>
> 1/ how can I check that a client (Windows XP) that has just logged into the
> domain, has been given a TGT?

If you want a visual indication, you can use:

 * the "klist" tool provided by Microsoft with Windows

 * the "kerbtray" tool provided by Microsoft in the Resource Kit

 * MIT Kerberos for Windows and its Leash Ticket Manager,

> Now I have to "kerberize" the Apache server. I found mod_auth_krb
> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
> headers and libs for a Kerberos implementation.
>
> 2/ Can I use Windows implementation to compile it? Or do I have to install
> another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
> build it?

If you want to build an Apache module that uses the MIT Kerberos APIs,
you can build the module against the SDK that is installed as a part of
MIT Kerberos for Windows.

Jeffrey Altman


--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

Julien ALLANOS
Selon Jeffrey Altman <[hidden email]>:

> Julien ALLANOS wrote:
>> Hello,
>>
>> I'm new to kerberos, and I want to know if the following configuration is
>> possible:
>>
>> I have an Apache2 web server running on Windows 2003 Server, and I want to
>> authenticate users with kerberos before they can access to the web server
>> content. The kdc service seems to be up and running on the Windows
>> 2003 server.
>>
>> 1/ how can I check that a client (Windows XP) that has just logged into the
>> domain, has been given a TGT?
>
> If you want a visual indication, you can use:
>
> * the "klist" tool provided by Microsoft with Windows
>
> * the "kerbtray" tool provided by Microsoft in the Resource Kit
>
> * MIT Kerberos for Windows and its Leash Ticket Manager,
>
>> Now I have to "kerberize" the Apache server. I found mod_auth_krb
>> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
>> headers and libs for a Kerberos implementation.
>>
>> 2/ Can I use Windows implementation to compile it? Or do I have to install
>> another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
>> build it?
>
> If you want to build an Apache module that uses the MIT Kerberos APIs,
> you can build the module against the SDK that is installed as a part of
> MIT Kerberos for Windows.
>
> Jeffrey Altman

Thanks.

I have installed kerbtray, and I can see the following tickets for
MY.DOMAIN.COM:

cifs/srv.my.domain.com
krbtgt/MY.DOMAIN.COM (forwarded)
krbtgt/MY.DOMAIN.COM (initial)
ldap/srv.my.domain.com/my.domain.com

So I suppose the krbtgt are the TGT. But why two tickets?

I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5,
fbopenssl,
openssl and apache2. Then I've created a user in AD, and a
corresponding keytab
for HTTP/[hidden email].

I'm using the following configuration for Apache:

<Location />
   AuthType SPNEGO
   Krb5KeyTabFile conf/rp.HTTP.keytab
   Krb5ServiceName HTTP
   Require valid-user
</Location>

Here is a summary of an access to the web server:

C -> GET / -> S
C <- 401, WWW-Authenticate: Negotiate <- S

C -> GET /, Authorization: Negotiate xxxxx -> S
C <- 401 <- S

Here are the last 3 lines of error.log:

[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
entering
authenticateUser
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
Authorization value is "Negotiate xxxxxx"
[Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego:
received
type 1 NTLM token

So what's wrong please? I really need to make Kerberos works, not NTLM.

Thanks for any help.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Kallapur, Madhusudan V
In reply to this post by Julien ALLANOS
looks like your spnego is not requesting Kerberos tokens or windows xp
client doesn't support Kerberos tokens.

1. you may want to configure win xp client, I guess you are using IE
browser, as described in the link below

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
e/html/http-sso-1.asp

2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to
configure my apache webserver ( running on linux) successfully for
SPNEGO with Kerberos authentication. you may want to add these lines to
your conf file

<Location />
   AuthType Kerberos
   KrbMethodNegotiate on
   ------ your rest of the stuff comes here -----
</Location>

3. Use network protocol analyzer tools (ethereal works for me) to see
whats going on between KDC, client and server. You may want to run the
tool on client as it talks to both KDC and server.


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Julien ALLANOS
Sent: Thursday, June 02, 2005 6:37 AM
To: [hidden email]
Subject: Re: kerberos authentication for apache on windows

Selon Jeffrey Altman <[hidden email]>:

> Julien ALLANOS wrote:
>> Hello,
>>
>> I'm new to kerberos, and I want to know if the following
configuration is
>> possible:
>>
>> I have an Apache2 web server running on Windows 2003 Server, and I
want to
>> authenticate users with kerberos before they can access to the web
server
>> content. The kdc service seems to be up and running on the Windows
>> 2003 server.
>>
>> 1/ how can I check that a client (Windows XP) that has just logged
into the

>> domain, has been given a TGT?
>
> If you want a visual indication, you can use:
>
> * the "klist" tool provided by Microsoft with Windows
>
> * the "kerbtray" tool provided by Microsoft in the Resource Kit
>
> * MIT Kerberos for Windows and its Leash Ticket Manager,
>
>> Now I have to "kerberize" the Apache server. I found mod_auth_krb
>> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I
need
>> headers and libs for a Kerberos implementation.
>>
>> 2/ Can I use Windows implementation to compile it? Or do I have to
install
>> another Kerberos implementation (such as MIT for Windows 2.6.5) in
order to
>> build it?
>
> If you want to build an Apache module that uses the MIT Kerberos APIs,
> you can build the module against the SDK that is installed as a part
of
> MIT Kerberos for Windows.
>
> Jeffrey Altman

Thanks.

I have installed kerbtray, and I can see the following tickets for
MY.DOMAIN.COM:

cifs/srv.my.domain.com
krbtgt/MY.DOMAIN.COM (forwarded)
krbtgt/MY.DOMAIN.COM (initial)
ldap/srv.my.domain.com/my.domain.com

So I suppose the krbtgt are the TGT. But why two tickets?

I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5,
fbopenssl,
openssl and apache2. Then I've created a user in AD, and a
corresponding keytab
for HTTP/[hidden email].

I'm using the following configuration for Apache:

<Location />
   AuthType SPNEGO
   Krb5KeyTabFile conf/rp.HTTP.keytab
   Krb5ServiceName HTTP
   Require valid-user
</Location>

Here is a summary of an access to the web server:

C -> GET / -> S
C <- 401, WWW-Authenticate: Negotiate <- S

C -> GET /, Authorization: Negotiate xxxxx -> S
C <- 401 <- S

Here are the last 3 lines of error.log:

[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
entering
authenticateUser
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
Authorization value is "Negotiate xxxxxx"
[Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego:
received
type 1 NTLM token

So what's wrong please? I really need to make Kerberos works, not NTLM.

Thanks for any help.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Julien ALLANOS
Selon "Kallapur, Madhusudan V" <[hidden email]>:

> looks like your spnego is not requesting Kerberos tokens or windows xp
> client doesn't support Kerberos tokens.

Right. Both browsers (IE and Firefox) send the following Authorization header:

  Negotiate BASE64-encoded-NTLM (starts with NTLMSSP...)

> 1. you may want to configure win xp client, I guess you are using IE
> browser, as described in the link below
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
> e/html/http-sso-1.asp
>

Already configured IE to use SPNEGO. NTLM works well (using
mod_auth_sspi on the
Apache web server). For Firefox I've added the hostname of the web server to
both network.negotiate-auth.trusted-uris and
network.automatic-ntlm-auth.trusted-uris. For IE, my server is in the intranet
zone and integrated Windows auth is enabled.

> 2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to
> configure my apache webserver ( running on linux) successfully for
> SPNEGO with Kerberos authentication. you may want to add these lines to
> your conf file
>
> <Location />
>   AuthType Kerberos
>   KrbMethodNegotiate on
>   ------ your rest of the stuff comes here -----
> </Location>

mod_auth_kerb isn't very portable to WIN32, that's why I'm using mod_spnego
(that already has VC++ project files).

>
> 3. Use network protocol analyzer tools (ethereal works for me) to see
> whats going on between KDC, client and server. You may want to run the
> tool on client as it talks to both KDC and server.
>

I've just installed ethereal on the client, but I want to know which
ports do I
have to listen to to get KDC messages (cause a lot of packets are catched up
without using a filter, and filtering on port 80 only isn't sufficient I
believe to see dialogs between client SSPI layer and KDC. Actually, I have the
same box for the client (web browser), the web server and the KDC, maybe the
problem comes from that...

So why my web browsers are sending NTLM tokens in the Authroziation header,
instead of SPNEGO tokens?

Thanks for your help.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

Julien ALLANOS
In reply to this post by kl (Bugzilla)
Selon Klavs Klavsen <[hidden email]>:

> Hi Julien,

Hello,

> I have it working with the modgssapache module - although I'm not sure
> that apache module works on anything but Unix (I've used it on FreeBSD
> without problems).

This module is only for Apache 1. I need an Apache 2 module.
>
> The nice thing about it, is that it supports single-sign-on - as I
> understand it, mod_auth_kerb does not.
>

What makes you telling this please? Any link? Thanks.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

Frank Balluffi
FYI, mod_spnego (which can be found at
http://sourceforge.net/projects/modgssapache/) supports Apache 1.3 and 2.0
on Linux, Solaris and Windows.

Frank




Julien ALLANOS <[hidden email]>
Sent by: [hidden email]
06/03/2005 08:13 AM

To
[hidden email]
cc

Subject
Re: kerberos authentication for apache on windows






Selon Klavs Klavsen <[hidden email]>:

> Hi Julien,

Hello,

> I have it working with the modgssapache module - although I'm not sure
> that apache module works on anything but Unix (I've used it on FreeBSD
> without problems).

This module is only for Apache 1. I need an Apache 2 module.
>
> The nice thing about it, is that it supports single-sign-on - as I
> understand it, mod_auth_kerb does not.
>

What makes you telling this please? Any link? Thanks.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Frank Balluffi
In reply to this post by Julien ALLANOS
Julien ALLANOS said:

> I've just installed ethereal on the client, but I want to know which
> ports do I
> have to listen to to get KDC messages (cause a lot of packets are
catched up
> without using a filter, and filtering on port 80 only isn't sufficient I
> believe to see dialogs between client SSPI layer and KDC. Actually, I
have the
> same box for the client (web browser), the web server and the KDC, maybe
the
> problem comes from that...
>
> So why my web browsers are sending NTLM tokens in the Authroziation
header,
> instead of SPNEGO tokens?

For IE, follow the directions on
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp 
(I think someone has already made this point), including shutting down ALL
instances of IE and restarting IE.

Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).

I have seen IE send NTLM tokens under the following circumstances:

1. web server sends IE the following:

HTTP/1.1 401 Authorization Required
...
WWW-Authenticate: NTLM
...

2. IE is NOT configured as above and web server sends IE the following:

HTTP/1.1 401 Authorization Required
...
WWW-Authenticate: Negotiate
...

mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
mod_spnego, read Microsoft's directions very carefully.

Sniff the following traffic:

HTTP between IE and web server (usually port 80)
Kerberos between IE and KDC (usually port 88)

Frank
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Julien ALLANOS
Selon Frank Balluffi <[hidden email]>:

>
> For IE, follow the directions on
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
> (I think someone has already made this point), including shutting down ALL
> instances of IE and restarting IE.
>
> Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
> I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).
>
> I have seen IE send NTLM tokens under the following circumstances:
>
> 1. web server sends IE the following:
>
> HTTP/1.1 401 Authorization Required
> ...
> WWW-Authenticate: NTLM
> ...
>
> 2. IE is NOT configured as above and web server sends IE the following:
>
> HTTP/1.1 401 Authorization Required
> ...
> WWW-Authenticate: Negotiate
> ...
>
> mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
> mod_spnego, read Microsoft's directions very carefully.
>
> Sniff the following traffic:
>
> HTTP between IE and web server (usually port 80)
> Kerberos between IE and KDC (usually port 88)
>
> Frank
>

I am now facing to the following problem: browsers don't send NTLM tokens
anymore but SPNEGO tokens (I believe). I don't really know what I did to make
it work, but heh, it works. That's good. However, I get internal server errors
from the web server. Actually I think mod_spnego couldn't find the
keytab. So I
copied the keytab file to C:\WINDOWS\krb5kt as stated in mod_spengo's README
file. I am now getting this:

[Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
gss_acquire_cred failed; GSS-API: Miscellaneous failure)
[Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
gss_acquire_cred failed; GSS-API mechanism: No principal in keytab matches
desired name)

> klist -k c:\WINDOWS\krb5kt
Keytab name: FILE:c:\WINDOWS\krb5kt
KVNO Principal
----
--------------------------------------------------------------------------
   3 HTTP/[hidden email]

Any help please? Thanks.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Frank Balluffi
Julien ALLANOS said:

> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API: Miscellaneous failure)
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API mechanism: No principal in keytab
matches
> desired name)
>
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
>    3 HTTP/[hidden email]

Sniff the traffic between the browser and the KDC (usually port 88 of the
KDC) and look at the service name in the HTTP ticket sent from the KDC to
the browser in the TGS-REP, which should equal a name in the keytab.

Also, I remember having difficulties using KRB5_KTNAME  on Windows --
either it was not supported on Windows or did not support drive letters
(e.g., C:). There are two notes about KRB5_KTNAME in
mod_spnego/readme.txt.

Frank
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Frank Balluffi
In reply to this post by Julien ALLANOS
Julien ALLANOS said:

> I am now facing to the following problem: browsers don't send NTLM
tokens
> anymore but SPNEGO tokens (I believe). I don't really know what I did to
make
> it work, but heh, it works. That's good.

For both NTLM and SPNEGO tokens, IE should send:

Authorization: Negotiate

followed by a base64-encoded token. To determine the type of token,
capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C
4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with
hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long
(most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2,
which identifies the SPNEGO GSSAPI mechanism.

Frank
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

jas-4
Selon Frank Balluffi <[hidden email]>:

> Julien ALLANOS said:
>
>> I am now facing to the following problem: browsers don't send NTLM
> tokens
>> anymore but SPNEGO tokens (I believe). I don't really know what I did to
> make
>> it work, but heh, it works. That's good.
>
> For both NTLM and SPNEGO tokens, IE should send:
>
> Authorization: Negotiate
>
> followed by a base64-encoded token. To determine the type of token,
> capture and base64-decode the token. NTLM tokens begin with hex 4E 54 4C
> 4D 53 53 50 which corresponds to "NTLMSSP" and SPNEGO tokens begin with
> hex 60 ... 06 06 2B 06 01 05 05 02 where ... is between 1 and 3 bytes long
> (most commonly 3 bytes). 06 06 2B 06 01 05 05 02 means 1.3.6.1.5.5.2,
> which identifies the SPNEGO GSSAPI mechanism.
>
> Frank
>

I've sniffed on port 88 but I didn't see any packet. Probably because browser,
KDC and web server are on the same machine? (I have only 1 machine on
my domain
atm).

However, I can see the Authorization header (Negotiate + Base64 stuff) in the
second GET request to the web server. The token begins with: 60 82 04 c7 06 06
2b 06 01 05 05 02, which seems to be a SPNEGO token.

Is the service name encoded somewhere in this token? If I look at it as plain
text, I can see:

‚”0‚ ¡ADCASSARD.JAS.AQL.FR¢'0%
¡0HTTPadcassard.jas.aql.fr£‚F0‚B ¡

so I believe the requested principal is
HTTP/[hidden email], which doesn't match what is
inside the keytab
(HTTP/[hidden email]). Then I
created a new keytab with the new service name, but it didn't change
anything, I
still got the no match error.
--
Julien ALLANOS

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Frank Balluffi
Julien ALLANOS said:

> I've sniffed on port 88 but I didn't see any packet. Probably because
browser,
> KDC and web server are on the same machine? (I have only 1 machine on
> my domain
> atm).

Yes, you will need to run a KDC on a separate machine to sniff the traffic
-- at least with Ethereal.

> However, I can see the Authorization header (Negotiate + Base64 stuff)
in the
> second GET request to the web server. The token begins with: 60 82 04 c7
06 06
> 2b 06 01 05 05 02, which seems to be a SPNEGO token.
>
> Is the service name encoded somewhere in this token? If I look at it as
plain
> text, I can see:
>
> ‚”0‚ ¡ADCASSARD.JAS.AQL.FR¢'0%
> ¡0HTTPadcassard.jas.aql.fr£‚F0‚B ¡
>
> so I believe the requested principal is
> HTTP/[hidden email], which doesn't match what
is
> inside the keytab
> (HTTP/[hidden email]). Then I
> created a new keytab with the new service name, but it didn't change
> anything, I
> still got the no match error.

Yes, the browser is sending a SPNEGO token containing a ticket to
HTTP/[hidden email] -- you can figure this out
by looking at the ASN.1 in
draft-ietf-krb-wg-kerberos-clarifications-07.txt. Everything looks fine
except the Kerberos realm names do not match. You now need to figure out
why the ticket contains the realm ADCASSARD.JAS.AQL.FR and the keytab
contains the realm SRV1.ADCASSARD.JAS.AQL.FR.

Frank

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

jas-4
Quoting Frank Balluffi <[hidden email]>:

> Julien ALLANOS said:
>
>> I've sniffed on port 88 but I didn't see any packet. Probably because
> browser,
>> KDC and web server are on the same machine? (I have only 1 machine on
>> my domain
>> atm).
>
> Yes, you will need to run a KDC on a separate machine to sniff the traffic
> -- at least with Ethereal.
>
>> However, I can see the Authorization header (Negotiate + Base64 stuff)
> in the
>> second GET request to the web server. The token begins with: 60 82 04 c7
> 06 06
>> 2b 06 01 05 05 02, which seems to be a SPNEGO token.
>>
>> Is the service name encoded somewhere in this token? If I look at it as
> plain
>> text, I can see:
>>
>> ‚”0‚ ¡ADCASSARD.JAS..AQL.FR¢'0%
>> ¡0HTTPadcassard.jas.aql.fr£‚F0‚B ¡
>>
>> so I believe the requested principal is
>> HTTP/[hidden email], which doesn't match what
> is
>> inside the keytab
>> (HTTP/[hidden email]). Then I
>> created a new keytab with the new service name, but it didn't change
>> anything, I
>> still got the no match error.
>
> Yes, the browser is sending a SPNEGO token containing a ticket to
> HTTP/[hidden email] -- you can figure this out
> by looking at the ASN.1 in
> draft-ietf-krb-wg-kerberos-clarifications-07.txt. Everything looks fine
> except the Kerberos realm names do not match. You now need to figure out
> why the ticket contains the realm ADCASSARD.JAS.AQL.FR and the keytab
> contains the realm SRV1.ADCASSARD.JAS.AQL.FR.
>
> Frank
>

As I said, I've created a new keytab with the
HTTP/[hidden email] service name (using ktpass).
klist now shows the correct principal:

> klist -k c:\WINDOWS\krb5kt
Keytab name: FILE:c:\WINDOWS\krb5kt
KVNO Principal
----
--------------------------------------------------------------------------
   4 HTTP/[hidden email]

I've restarted Apache, restarted Firefox on the client session and
requested the
URL again. I got the same error: no principal match.
--
Julien ALLANOS

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: kerberos authentication for apache on windows

Frank Balluffi
[hidden email] wrote on 06/06/2005 10:21:12 AM:

> As I said, I've created a new keytab with the
> HTTP/[hidden email] service name (using
ktpass).
> klist now shows the correct principal:
>
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
>    4 HTTP/[hidden email]
>
> I've restarted Apache, restarted Firefox on the client session and
> requested the
> URL again. I got the same error: no principal match.

I am not sure why it is failing. For the sake of thoroughness, you might
want to check what encryption types are being used. To check the keytab
pass -e to klist:

klist -e -k c:\WINDOWS\krb5kt

to check the token, requires decoding. If you send me the token (out of
band), I will check it. Because I have seen problems with key version
numbers (kvno) and Windows Server 2003, you might want to also try
deleting and recreating the service account and recreate the keytab. You
should then see kvno equal to 1.

Frank
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

Daniel Kouril
In reply to this post by kl (Bugzilla)
Klavs Klavsen wrote:
> The nice thing about it, is that it supports single-sign-on - as I
> understand it, mod_auth_kerb does not.

If you mean the Negotiate authentication using SPNEGO/Kerberos,
mod_auth_kerb does support it as well.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication for apache on windows

kl (Bugzilla)
On Wed, June 8, 2005 12:19, Daniel Kouril said:
> Klavs Klavsen wrote:
>> The nice thing about it, is that it supports single-sign-on - as I
>> understand it, mod_auth_kerb does not.
>
> If you mean the Negotiate authentication using SPNEGO/Kerberos,
> mod_auth_kerb does support it as well.

That was what i meant. Thanks for clearing that up.

--
Klavs Klavsen

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos