[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kerberos
Subject:    WWW-Authenticate: Negotiate in Header
From:       "Dirk Heimann" <dirk.heimann () westlotto ! com>
Date:       2011-08-16 9:37:26
Message-ID: 4E4A56760200003F00029DB0 () Mclp3_server ! wl
[Download RAW message or body]

Hi,
i have a problem with my SLES11SP1 Webserver. I want to use the Kerberos \
authentication for SingleSignOn between my Windows ADS, Windows Client and Linux \
Webserver. I have the /etc/krb5.conf configured and pushed the Kerberos Ticket from \
my Windows ADS on the Linux Webserver. I also protected my DocumentRoot with a \
.htaccess file. Now i want to access the webserver and get a 401 error message. In \
the http trace i can't see the entry "WWW-Authenticate: Negotiate" in the header. A \
look into a functioning server errorlog shows me the following:  [Tue Aug 16 10:23:18 \
2011] [debug] src/mod_auth_kerb.c(1277): [client 10.43.2.33] Acquiring creds for \
                HTTP@entintranet2.wl 
[Tue Aug 16 10:23:18 2011] [debug] src/mod_auth_kerb.c(1424): [client 10.43.2.33] \
                Verifying client data using KRB5 GSS-API
[Tue Aug 16 10:23:18 2011] [debug] src/mod_auth_kerb.c(1440): [client 10.43.2.33] \
                Client didn't delegate us their credential
[Tue Aug 16 10:23:18 2011] [debug] src/mod_auth_kerb.c(1459): [client 10.43.2.33] \
                GSS-API token of length 161 bytes will be sent back
[Tue Aug 16 10:38:08 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.43.2.33] \
                kerb_authenticate_user entered with user (NULL) and auth_type \
                Kerberos
[Tue Aug 16 10:38:08 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.43.2.33] \
                kerb_authenticate_user entered with user (NULL) and auth_type \
                Kerberos
[Tue Aug 16 10:38:08 2011] [debug] src/mod_auth_kerb.c(1277): [client 10.43.2.33] \
                Acquiring creds for HTTP@entintranet2.wl 
[Tue Aug 16 10:38:08 2011] [debug] src/mod_auth_kerb.c(1424): [client 10.43.2.33] \
                Verifying client data using KRB5 GSS-API
[Tue Aug 16 10:38:08 2011] [debug] src/mod_auth_kerb.c(1440): [client 10.43.2.33] \
                Client didn't delegate us their credential
[Tue Aug 16 10:38:08 2011] [debug] src/mod_auth_kerb.c(1459): [client 10.43.2.33] \
GSS-API token of length 161 bytes will be sent back

The errorlog of the faulty server is empty. Only in the access log I see one 401 \
                messages:
10.43.2.33 - - [16/Aug/2011:10:47:12 +0200] "GET / HTTP/1.1" 401 1432 "-" \
"Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.18) Gecko/20110614 BTRS28059 \
Firefox/3.6.18"

It looks as if the Kerberos module is not used by the Apache.

Dirk



Westdeutsche Lotterie GmbH & Co. OHG | Sitz: Münster
Registergericht: Amtsgericht Münster 
Handelsregister: Münster HRA 4379
Geschäftsführer: Theodor Goßner
Vorsitzender des Beirates: Michael Stölting

Gesellschafter:

Nordwestlotto in Nordrhein-Westfalen GmbH | Sitz: Münster
Registergericht: Amtsgericht Münster
Handelsregister: HRB 3840
Geschäftsführer: Theodor Goßner

NRW.BANK | Sitz: Düsseldorf und Münster
Rechtsform: Anstalt des öffentlichen Rechts
Registergerichte: Amtsgerichte Düsseldorf/Münster
Handelsregister: Düsseldorf HRA 15277/Münster HRA 5300



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic