apache using mod_auth_kerb always asks for the password twice
Solution 1
I don't know if you still need the answer, but I hope I will help someone else by sharing my experience. I believe if you follow theese steps, everything will work fine.
- Make sure you have proper DNS entry for SYD01TBUG02 (A record) on your DNS server pointing to your webserver
- Make sure that you've you have assosiation between SPN of your webservice and AD user. On AD server run this command:
setspn -A HTTP/SYD01TBUG02.onevue.com.au.local ad_username
- Make sure that you've proper keytab generated. Run this command in your AD server:
where xxxxxx is AD user password. We use -crypto ALL option to make sure we add all supported hashes to the keytab file.ktpass -princ HTTP/[email protected] -mapuser ad_username -pass xxxxxx -crypto ALL -ptype KRB5_NT_PRINCIPAL -out SYD01TBUG02.keytab -setupn -setpass
- Now you should copy generated SYD01TBUG02.keytab file to your webserver and copy it to the certain directory. For example, let's copy it to the /etc/apache2/keytab/ folder.
- Example of apache config file for webservice:
<VirtualHost *:80> DocumentRoot "/var/www/kerberos" ServerName SYD01TBUG02.onevue.com.au.local ServerAlias SYD01TBUG02 AddDefaultCharset UTF-8 DirectoryIndex index.php ErrorLog /var/log/apache2/error_SYD01TBUG02.log TransferLog /var/log/apache2/transfer_SYD01TBUG02.log LogLevel warn ServerAdmin [email protected] <Location "/"> AuthType Kerberos KrbAuthRealms ONEVUE.COM.AU.LOCAL KrbServiceName HTTP/[email protected] Krb5Keytab /etc/apache2/keytab/SYD01TBUG02.keytab KrbMethodNegotiate on KrbMethodK5Passwd on KrbVerifyKDC on require valid-user </Location> <Directory /> </Directory> </VirtualHost>
Reload or restart apache - Now if you type http://SYD01TBUG02/ in your browser address bar, you will be automatically logged in your web service via SSO (Chrome, Chromium-like browsers and IE support SSO out of box, but there is also a plugin for Firefox).
sudo service apache2 reload
Hope that will help to set up your Kerberos auth on webserver.
P.S. If you want to enable SSO by full address (e.g. SYD01TBUG02.onevue.com.au.local) you should add SYD01TBUG02.onevue.com.au.local to the intranet zone either via AD Group Policies (if wou need this on several machines in domain) or locally via Internet Explorer settings. Theese settings affect on all browsers installed in system.
Solution 2
That's because the first time the user enters u/p an ntlm token is sent to the server. The second time it's the correct kerberos token.
Unfortunately there is no way you can eliminate the first prompt.
Related videos on Youtube
Comments
-
DrStalker over 1 year
(Debian Squeeze)
I'm trying to set apache up to use Kerberos authentication to allow AD users to log in. It is working, but prompts the user twice for a username and password, with the first time being ignored (no matter what is put it in.) Only the second prompt includes the AuthName string from the config (i.e.: the first windows is a generic username/password one, the second includes the title "Kerberos Login") I'm not worried about integrated windows authentication working at this stage, I just want users to be able to login with their AD account so we don't need to set up a second repository of user accounts.
How do I fix this to eliminate that first useless prompt?
The directives in the apache2.conf file:
<Directory /var/www/kerberos> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms ONEVUE.COM.AU.LOCAL Krb5KeyTab /etc/krb5.keytab KrbServiceName HTTP/[email protected] require valid-user </Directory>
krb5.conf:
[libdefaults] default_realm = ONEVUE.COM.AU.LOCAL [realms] ONEVUE.COM.AU.LOCAL = { kdc = SYD01PWDC01.ONEVUE.COM.AU.LOCAL master_kdc = SYD01PWDC01.ONEVUE.COM.AU.LOCAL admin_server = SYD01PWDC01.ONEVUE.COM.AU.LOCAL default_domain = ONEVUE.COM.AU.LOCAL } [login] krb4_convert = true krb4_get_tickets = false
The access log when accessing the secured directory (note the two seperate 401's)
192.168.10.115 - - [24/Aug/2012:15:52:01 +1000] "GET /kerberos/ HTTP/1.1" 401 710 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1" 192.168.10.115 - - [24/Aug/2012:15:52:06 +1000] "GET /kerberos/ HTTP/1.1" 401 680 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1" 192.168.10.115 - [email protected] [24/Aug/2012:15:52:10 +1000] "GET /kerberos/ HTTP/1.1" 200 375 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1"
And one line in error.log
[Fri Aug 24 15:52:06 2012] [error] [client 192.168.0.115] gss_accept_sec_context(2) failed: An unsupported mechanism was requested (, Unknown error)