Apache 2.2 mod_auth_kerb SSO stopped working

apache-2.2 kerberos single-sign-on mod-auth-kerb
8,976

This happens when there's a mismatch between the SPNs listed in the keytab and the Principal Name provided by the client (the browser).

It could depend by the browser used (some browsers take the name from the URL, some other do a reverse lookup of the ip address they're connecting to).

The common solution to this is setting KrbServiceName to Any:

    KrbServiceName Any

This will relax the check, allowing any key in the server's keytab to be used.

Share:
8,976

Related videos on Youtube

pupkinsen
Author by

pupkinsen

Updated on September 18, 2022

Comments

  • pupkinsen
    pupkinsen over 1 year

    I'm all out of ideas why has it just stopped working, here's what I checked:

    httpd-error.log:

    [Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN>
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1446): [client 10.105.5.131] GSS-API token of length 22 bytes will be sent back
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1758): [client 10.105.5.131] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1264): [client 10.105.5.131] Acquiring creds for HTTP/<FQDN>@<LOCAL.DOMAIN>
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1411): [client 10.105.5.131] Verifying client data using KRB5 GSS-API
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1427): [client 10.105.5.131] Client didn't delegate us their credential
[Thu Jun 11 18:04:21 2015] [debug] src/mod_auth_kerb.c(1125): [client 10.105.5.131] GSS-API major_status:00090000, minor_status:00000000

    -

    sudo kinit -t /etc/krb5.keytab HTTP/<FQDN>

    works fine, no errors

    sudo klist:

    Credentials cache: FILE:/tmp/krb5cc_0
    Principal: HTTP/<FQDN>@<LOCAL.DOMAIN>

Issued                Expires               Principal
Jun 11 17:21:58 2015  Jun 12 00:01:57 2015  krbtgt/<LOCAL.DOMAIN>@<LOCAL.DOMAIN>

    krb5.conf

    [libdefaults]
 ticket_lifetime = 24000
 default_realm = <LOCAL.DOMAIN>
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_keytab_name = /etc/krb5.keytab
 rdns = false

[realms]
 KC.KPLUS = {
  kdc = <dc.ip>:88
  admin_server = <dc.ip>:88
  default_domain = <LOCAL.DOMAIN>
 }

[domain_realm]
 .<local.domain> = <LOCAL.DOMAIN>
 <local.domain> = <LOCAL.DOMAIN>



[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

    .htaccess

    AddHandler cgi-script .cgi .pl
Options +ExecCGI
DirectoryIndex index.pl
AuthName "<LOCAL.DOMAIN>"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm <LOCAL.DOMAIN>
KrbMethodNegotiate on
KrbServiceName HTTP/<FQDN>@<LOCAL.DOMAIN>
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC off
Require valid-user

    Checked the traffic on the client side, apparently it starts Negotiate, agrees on KRB5 mech and sends the ticket. Receives 401 as a result.

    I can't figure out what is wrong here, any ideas would be appreciated.

    • pupkinsen
      pupkinsen almost 9 years
      Ok I've changed KrbServiceName HTTP/<FQDN>@<LOCAL.DOMAIN> to KrbServiceName Any and it works. I'd still like to know why exactly did it work for a while and then just stop.
    • Gagravarr
      Gagravarr almost 9 years
      On the client side, if you do a klist after trying and failing to authenticate from your browser, does it show a ticket for the HTTP/<FQDN>@<LOCAL.DOMAIN> service principal? And does your Apache keytab have any other entries in other than the HTTP principal?
  • pupkinsen
    pupkinsen almost 9 years
    Sorry, I should have mentioned the system in the original question, it's FreeBSD 10.1. Apache version is 2.2 and didn't change.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested
apache using mod_auth_kerb always asks for the password twice
LDAP Auth proxy adding headers according to LDAP groups
Fallback authentication if mod_auth_kerb fails
SSO with Apache and Kerberos issues
Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect
problems creating a keytab file on win server
Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO
Apache mod_auth_kerb and LDAP user groups
How to tell mod_auth_kerb to do its job despite no "require valid-user"