with number of great websites reference, setup apache 2.4 environment on solaris 11 using auth_gss_module kerberos authentication. problem have not being able access authorized page using ie, chrome, or firefox on windows 7 or windows server 2008. have been successful accessing secured page curl , python scripts , safari , firefox browsers on os x 10.10. have listed output both successful , failed attempts kerberos authentication. not sure if might configuration setting within ad needs changed or maybe encryption difference. looking suggestions on next. thank you..
a key tab created me ad admin , contents of key tab
cyoull@host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab keytab name: file:host0ad903_keytab kvno principal ---- -------------------------------------------------------------------------- 3 http/host0ad903.abc.def.net@abc.def.net on os x, list of kerberos tickets klist command.
chriss-macbook-air:~ chris$ klist credentials cache: api:ef1241c7-a883-44a8-9729-969775673bca principal: cyoull@abc.def.net issued expires principal sep 25 07:22:52 2015 sep 25 17:22:40 2015 krbtgt/abc.def.net@abc.def.net chriss-macbook-air:~ chris$ klist credentials cache: api:ef1241c7-a883-44a8-9729-969775673bca principal: cyoull@abc.def.net issued expires principal sep 25 07:22:52 2015 sep 25 17:22:40 2015 krbtgt/abc.def.net@abc.def.net sep 25 07:23:06 2015 sep 25 17:22:40 2015 http/host0ad903.abc.def.net@abc.def.net valid starting expires service principal 18/09/2015 10:17 18/09/2015 20:17 krbtgt/abc.def.net@abc.def.net renew until 25/09/2015 10:17, etype(skey, tkt): arcfour hmac/md5, aes-256 cts mode 96-bit sha-1 hmac 18/09/2015 10:17 18/09/2015 20:17 http/host0ad903.abc.def.net@abc.def.net renew until 25/09/2015 10:17, etype(skey, tkt): arcfour hmac/md5, arcfour hmac/md5 this apache log after accessing secured page kerberos authentication safari on os x
[fri sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = gssapi [fri sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] no authentication data found [fri sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined> [fri sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = gssapi [fri sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called [fri sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] using keytab: krb5_ktname=/local_apps/apache4/conf/certs/host0ad903_keytab [fri sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] client wants gss mech: spnego [fri sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds http@host0ad903.abc.def.net [fri sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: http@host0ad903.abc.def.net [fri sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] authenticated user (final result) : cyoull@abc.def.net this apache log file after successful attempt python script on windows server 2008
[thu sep 17 16:29:48.890889 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = gssapi [thu sep 17 16:29:48.890900 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(632): [client 10.115.2.117:50526] no authentication data found [thu sep 17 16:29:48.890909 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(592): [client 10.115.2.117:50526] note_gss_auth_failure: auth_name = <undefined> [thu sep 17 16:29:48.908047 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = gssapi [thu sep 17 16:29:48.908056 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(334): [client 10.115.2.117:50526] authenticate_user_gss called [thu sep 17 16:29:48.908080 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(373): [client 10.115.2.117:50526] using keytab: krb5_ktname=/local_apps/apache4/conf/certs/host0ad903_keytab [thu sep 17 16:29:48.908188 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(411): [client 10.115.2.117:50526] client wants gss mech: kerberos_v5 [thu sep 17 16:29:48.908203 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(288): [client 10.115.2.117:50526] acquire_server_creds http@host0ad903.abc.def.net [thu sep 17 16:29:48.910360 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(438): [client 10.115.2.117:50526] got server creds for: http/host0ad903.abc.def.net@abc.def.net [thu sep 17 16:29:48.917847 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(524): [client 10.115.2.117:50526] authenticated user before authgssstripdomainat: cyoull@abc.def.net [thu sep 17 16:29:48.917863 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(533): [client 10.115.2.117:50526] authenticated user before authgssforcecase: coy [thu sep 17 16:29:48.917873 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(549): [client 10.115.2.117:50526] authenticated user (final result) : cyoull@abc.def.net this kerberos tickets on windows 7 client
u:\>klist current logonid 0:0xa84757 cached tickets: (2) #0> client: cyoull @ abc.def.net server: krbtgt/abc.def.net @ abc.def.net kerbticket encryption type: aes-256-cts-hmac-sha1-96 ticket flags 0x40e00000 -> forwardable renewable initial pre_authent start time: 9/25/2015 9:19:28 (local) end time: 9/25/2015 19:19:28 (local) renew time: 10/2/2015 9:19:28 (local) session key type: aes-256-cts-hmac-sha1-96 #1> client: cyoull @ abc.def.net server: http/host0ad903.abc.def.net @ abc.def.net kerbticket encryption type: rsadsi rc4-hmac(nt) ticket flags 0x40a00000 -> forwardable renewable pre_authent start time: 9/25/2015 9:19:30 (local) end time: 9/25/2015 19:19:28 (local) renew time: 10/2/2015 9:19:28 (local) session key type: rsadsi rc4-hmac(nt) using developer tools in firefox see 3 requests , in apache log file looks if kerberos negotiation tries more once fails 401 unauthorized
[fri sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = gssapi [fri sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] no authentication data found [fri sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined> [fri sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = gssapi [fri sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called [fri sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] using keytab: krb5_ktname=/local_apps/apache4/conf/certs/host0ad903_keytab [fri sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] client wants gss mech: spnego [fri sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds http@host0ad903.abc.def.net [fri sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: http@host0ad903.abc.def.net [fri sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] authentication failed. [fri sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined> [fri sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = gssapi [fri sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called [fri sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] using keytab: krb5_ktname=/local_apps/apache4/conf/certs/host0ad903_keytab [fri sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] client wants gss mech: <unknown> [fri sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds http@host0ad903.abc.def.net [fri sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: http/host0ad903.abc.def.net@abc.def.net [fri sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: invalid token supplied (unknown error) [fri sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] authentication failed. [fri sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
have configured web browsers on windows http negotiate server? example, in firefox need set:
network.negotiate-auth.trusted-uris = abc.def.net or pattern match url. chrome has told willing authenticate particular server, e.g. with:
--auth-server-whitelist="*.foo.com" or via group policy.
if that’s not problem, please this:
ipconfig /flushdnsklist purge- run wireshark , capture http, dns, , kerberos traffic during failure (ports 80, 53, , 88).
- post resulting pcap file.
Comments
Post a Comment