SSO with Apache and Kerberos issues

apache-2.2 kerberos single-sign-on

13,022

If I'm interpreting the error right, I think it means that you have an old version of a key in /etc/apache2/httpd.keytab. Every time the key is changed for a Kerberos principal via kadmin, the version number is incremented and older versions of that key are invalidated.

The kinit command/login only shows that the host key inside of /etc/krb5.keytab is intact. This does not necessarily mean that the kvno inside of httpd.keytab is valid and you will need to check it against the KDC.

Start a kadmin session against your KDC and invoke getprinc <principalname>. Look for "Key: vno", this tells you what the KDC considers to be the version number. If the KDC has a more recent version of the key, you need to re-export this key to the host in question. I would go ahead and check the validity of all the keys in /etc/krb5.keytab while you're at it just to make sure there aren't any other time bombs lurking around.

Hopefully this helps!

13,022

tbh1

Updated on September 18, 2022

Comments

tbh1 over 1 year

I am trying to set up SSO on my Apache web server using Kerberos so that users logged into the local domain are recognised and logged in immediately.

I have followed this guide to the letter but I cannot get rid of the user/password prompt once everything is set up.

I am using Ubuntu 8.04, have installed mod_auth_kerb 5.4 for Apache.

My /etc/krb5.conf:

[libdefaults]
  default_realm = COMPANY.LOCAL
[domain_realm]
  .company.local = COMPANY.LOCAL
  company.local = COMPANY.LOCAL
[realms]
  COMPANY.LOCAL = {
    default_domain = company.local
    kdc = DC01.COMPANY.LOCAL:88
    admin_server = DC01.COMPANY.LOCAL
  }

My Apache configuration:

<Location />
AuthType Kerberos
AuthName "server login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms COMPANY.LOCAL
KrbServiceName HTTP
Krb5KeyTab /etc/apache2/httpd.keytab
KrbVerifyKDC off
KrbLocalUserMapping on
require valid-user
</Location>

Keytab was generated by our admin using

ktpass -princ HTTP/[email protected] -mapuser hostname -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass CHOOSEPASSWORD -out httpd.keytab

I have issued the relevant chmod/chown commands. On the server, I successfully issued kinit HTTP/[email protected] and logged in.

kvno / klist output:

# kvno HTTP/[email protected]
HTTP/[email protected]: kvno = 8
# klist -ke httpd.keytab
Keytab name: FILE:httpd.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 HTTP/[email protected] (ArcFour with HMAC/md5)

I have configured my browser (tried both ff and ie on windows7) to pass the credentials along to hopefully get rid of the prompt but it is not working.

The Apache error logs are saying:

[error] [client 10.0.0.1] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Key version number for principal in key table is incorrect)
[error] [client 10.0.0.1] gss_accept_sec_context() failed: Invalid token was supplied (, No error)

Has anyone got any suggestions as to what I need to get this working?

Andrew B over 11 years

I mentioned the wrong keytab in the original version of this post. Please review the newest revision if you haven't already.
tbh1 over 11 years

Thanks for that. I came into work today to find it working as i would expect. Not sure what changed.
Andrew B over 11 years

Check the timestamp on httpd.keytab. If it's been modified, a coworker might've beaten you to it. :)