Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested

apache-2.2 kerberos single-sign-on mod-auth-kerb
30,156

Solution 1

There was problem with principals. I recreated /etc/httpd/httpd.keytab and added HTTP principial correctly and all works fine!

Solution 2

In a simple setup, using mod_auth_gssapi and FreeIPA as the krb5 server and to generate keytabs, I found out that adding the following next to the AuthType command addressed the issue. 

BrowserMatch Windows gssapi-no-negotiate

Based on the answer from andsens, it seems indeed this is happening on Windows clients that try to use NTLM. GssapiAllowedMech krb5 and GssapiBasicAuthMech krb5 don't give a successful outcome to the negotiation, so the only solution seems to be to disable the negotiation. I cannot guarantee this is accurate, though, but it worked for me.

The corresponding documentation is here

Solution 3

I have discovered another reason for this error:
Windows tries to authenticate with NTLM. Actually that is the root of the problem.

I don't understand how recreating the keytab helped, the error would then be something along the lines of "Key table entry not found".
Windows tries to authenticate via NTLM when it cannot acquire a ticket from the KDC.
For me, the reason for that was that my server was not located within the same realm. The domain was ad.domain.com, but my server was located at something.domain.com. I am sure you can allow this somehow as well, but the easy fix is simply to change the hostname pointing to the server (and then creating a new keytab for that domain).

Share:
30,156

Related videos on Youtube

petRUShka
Author by

petRUShka

Updated on September 18, 2022

Comments

  • petRUShka
    petRUShka over 1 year

    I want to use Kerberos and Apache 2 on linux with mod_auth_kerb.

    I added .htaccess to my project with following:

    #SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/httpd/httpd.keytab
KrbLocalUserMapping On
require valid-user

    When I tried to test my single sign on on IE or Firefox I get the following error in apache log:

    [Thu Jan 19 21:03:27 2012] [error] [client 10.65.0.1] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

    I don't know what is it and what I should do to make it work.

    My aim is to get REMOTE_USER to be filled by AD user name. But now I can't do anything because of this error...

  • Asaf Magen
    Asaf Magen almost 6 years
    can u please share the exact command you run for that?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache 2.2 mod_auth_kerb SSO stopped working
apache using mod_auth_kerb always asks for the password twice
LDAP Auth proxy adding headers according to LDAP groups
Fallback authentication if mod_auth_kerb fails
SSO with Apache and Kerberos issues
Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect
problems creating a keytab file on win server
Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO
Apache mod_auth_kerb and LDAP user groups
How to tell mod_auth_kerb to do its job despite no "require valid-user"