Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users

From: Nikhil <mnikhil@xxxxxxxxx>
Date: Mon, 26 Nov 2007 18:37:39 +0530

run kerbtray.exe on windows system and try to purge all the available ticket
cache.

On Nov 26, 2007 6:08 PM, <f.d@xxxxxx> wrote:

Sounds like the same problem I postet last week. Unfortunately I have not
found a solution for it. If you find any, please let me know, I will do the
same.

Just to check:
[ ] You have the "Enable Integrated Windows Authentication" chackbox
checked and restarted your browser
[ ] You have added the site you are contacting to your "local intranet
zoone"
[ ] In security Settings for intranet zone "Automatic logon only in
intranet zone" is selected

Regards,
Florian

-------- Original-Nachricht --------

Datum: Mon, 26 Nov 2007 03:04:43 -0800 (PST)
Von: palm <palma1977@xxxxxxxxxxxxxx>
An: kerberos@xxxxxxx
Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for

some Users

hi,

currently we had a heavy problem with our SSO configuration. u can see
in subject which configuration we have. its a apache2 with kerberos
modules and the users are in an MS active directory.

everything works rather fine. but some of the users get a login
message dialog box few times a day. after the login with their
username and password everything works fine. some of them getting the
box again after a while and some don't.

for the most of all users it works fine. but its not only a special
group who had this login box problem. the most of all users had
alleady this problem not

when a User get the Login Box we found this messages in the Apache
logs :

[Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1483): [client
192.168.2.115] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/
mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03
2007] [debug] src/mod_auth_kerb.c(1174): [client 192.168.2.115]
Acquiring creds for HTTP/webserver.maindomain.com@xxxxxxxxxxxxxx

[Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1314): [client
192.168.2.115] Verifying client data using KRB5 GSS-API [Wed Nov 21
12:11:03 2007] [debug] src/mod_auth_kerb.c(1330): [client
192.168.2.115] Verification returned code 589824 [Wed Nov 21 12:11:03
2007] [debug] src/mod_auth_kerb.c(1357): [client 192.168.2.115]
Warning: received token seems to be NTLM, which isn't supported by the
Kerberos module. Check your IE configuration.

[Wed Nov 21 12:11:03 2007] [error] [client 192.168.2.115]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt) [Wed Nov 21 12:24:11 2007] [debug] src/
mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user
entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:24:11
2007] [debug] src/mod_auth_kerb.c(943): [client 192.168.2.115] Using
HTTP/webserver.maindomain.com@xxxxxxxxxxxxxx as server principal for
password verification [Wed Nov 21 12:24:11 2007] [debug] src/
mod_auth_kerb.c(683): [client 192.168.2.115] Trying to get TGT for
user userpalm@xxxxxxxxxxxxxx [Wed Nov 21 12:24:11 2007] [debug] src/
mod_auth_kerb.c(597): [client 192.168.2.115] Trying to verify
authenticity of KDC using principal HTTP/
webserver.maindomain.com@xxxxxxxxxxxxxx

The reason for that Problem is that the Browser tried to get a NTLM
Ticket but we dont know why .... everythings is configured for
Kerberos and for the most of all User it works fine. We check allready
different Browsers and we have this Problem with IE 6 & 7 and Firefox.

I hope someone here had a great Idea what we can do.

greetz
palm
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

--
Nikhil

Google is Great !
.

Follow-Ups:
- Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
  - From: palm

References:
- Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
  - From: palm

Prev by Date: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
Next by Date: Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
Previous by thread: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
Next by thread: Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
Index(es):
- Date
- Thread

Relevant Pages

Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
... currently we had a heavy problem with our SSO configuration. ... its a apache2 with kerberos ... but some of the users get a login ... Kerberos module. ...
(comp.protocols.kerberos)
pam-krb5 3.6 released
... pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. ... It supports ticket refreshing by screen savers, ... supports configuration either by PAM options or in krb5.conf or both. ...
(comp.protocols.kerberos)
CISCO and kerberos
... I'd like to configure CISCO Catalyst to use kerberos against AD server W2008. ... I'd like to login to cisco using ticket and telnet.krb5 from ...
(comp.protocols.kerberos)
Re: [SLE] SuSE Installation runs monitor Out of Range
... I was doing this on a 15" travel monitor at the local yesterday. ... > This is not a new problem for the 9.1 Installation; ... > the system configuration had been recognized as and set to VESA ... if one cannot do a graphical login because of running ...
(SuSE)
Re: How to set Kerberos 5 ticket lifetime
... IBM R&D Labs in Israel ... How to set Kerberos 5 ticket ... and what are the necessary configuration in the server and the client ...
(comp.protocols.kerberos)