Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: Error while authenticating using mod_auth_kerb module

281 views
Skip to first unread message

Gopalan, Sriram

unread,
May 9, 2007, 3:22:53 PM5/9/07
to
Vijay,

Make sure you have everything setup as per this doc.
http://www.grolmsnet.de/kerbtut/

Also download kerbtray. Its part of Windows 2000 Resource Kit. It will
give you an idea of the ticket status.

Post the results back, I can help you on this. We just completed rolling
out a site with Linux-Apache-mod_auth_kerb-AD for a userbase of 6000+.

Thanks
Sriram

-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On
Behalf Of vijay...@persistent.co.in
Sent: Wednesday, May 09, 2007 8:57 AM
To: kerb...@mit.edu
Subject: Error while authenticating using mod_auth_kerb module

Hi All,

I am using mod_auth_kerb module on Apache web server to authenitcate
user based on the Windows login.

The token based authentication is not sucessful and am getting
"authorization required" message after providing credentials through
pop-up three times.
Basically teh issue is with the token povied by IE. It is NTLM instead
of kerberos token.

I googled on net and found the the issue is with IE settings.
I followed the *resolutions* mentioned at the following link

http://technet2.microsoft.com/windowsserver/en/library/6291dce1-4ea8-4b4
f-a9c1-23926ab6e8dd1033.mspx?mfr=true

i.e enabling IWA through browser.
Adding site to intranet list
Disabling proxies

But still not able to get Kerberos token from IE


Following is the message in Apache log
Warning: received token seems to be NTLM, which isn't supported by the
Kerberos module. Check your IE configuration.


Can someone help me resolve the issue?

Thanks,
Vijay

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is
the property of Persistent Systems Pvt. Ltd. It is intended only for the
use of the individual or entity to which it is addressed. If you are not
the intended recipient, you are not authorized to read, retain, copy,
print, distribute or use this message. If you have received this
communication in error, please notify the sender and delete all copies
of this message. Persistent Systems Pvt. Ltd. does not accept any
liability for virus infected mails.
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Gopalan, Sriram

unread,
May 9, 2007, 3:27:22 PM5/9/07
to
It should not be getting into basic auth. Still it should authenticate
in basic mode, unless you type wrong password.
So most likely it might be the issue with your httpd.conf or kerb5.conf.


--Sriram

vijay...@persistent.co.in

unread,
May 9, 2007, 11:57:10 AM5/9/07
to

Vijay Jain

unread,
May 11, 2007, 10:01:06 AM5/11/07
to
Hi all,


I have been able to authenticate the user based on the credentials provided
but still not able to resolve the issue of NTLM based token from the
browser.
Following is the error message from apache web server for token processing


Warning: received token seems to be NTLM, which isn't supported by the
Kerberos module. Check your IE configuration.

I tried with IE as well as MOzilla browser.
I followed the respective configuration for IE and Mozilla but still not
able to get the Kerberos token.

It seems that there must be some configuration for the windows machine to
send kerberos token instead of NTLM.

Could someone please let me know the required configuration to fetch
kerberos based token from the browser?

Thanks,
Vijay


-----Original Message-----
From: Vijay Jain [mailto:vijay...@persistent.co.in]
Sent: Thursday, May 10, 2007 10:28 PM
To: Gopalan, Sriram; kerb...@mit.edu
Subject: RE: Error while authenticating using mod_auth_kerb module


Hi Sriram,

I am obliged by your eagerness to help me resolve my issue. Thank you very
much.

Please find attached mod_auth_kerb configuration doc containing the
configuration details for the AD server and apache web server configuration.

The document contains
1) Snap shots of KERBTRAY.EXE
2) APACHE error logs
3) /etc/krb5.conf
4) httpd.conf configuration for mod_auth_kerb
5) ktpass.exe input paramters
6) kinit command output etc..


Please provide feedback, if any.

Thanks,
Vijay

-----Original Message-----
From: Gopalan, Sriram [mailto:sgop...@etrade.com]
Sent: Thursday, May 10, 2007 12:57 AM
To: vijay...@persistent.co.in; kerb...@mit.edu
Subject: RE: Error while authenticating using mod_auth_kerb module


It should not be getting into basic auth. Still it should authenticate
in basic mode, unless you type wrong password.
So most likely it might be the issue with your httpd.conf or kerb5.conf.


--Sriram

-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On
Behalf Of vijay...@persistent.co.in
Sent: Wednesday, May 09, 2007 8:57 AM
To: kerb...@mit.edu
Subject: Error while authenticating using mod_auth_kerb module

Michael B Allen

unread,
May 11, 2007, 1:00:08 PM5/11/07
to
On Fri, 11 May 2007 19:31:06 +0530
"Vijay Jain" <vijay...@persistent.co.in> wrote:

> Hi all,
>
>
> I have been able to authenticate the user based on the credentials provided
> but still not able to resolve the issue of NTLM based token from the
> browser.
> Following is the error message from apache web server for token processing
> Warning: received token seems to be NTLM, which isn't supported by the
> Kerberos module. Check your IE configuration.
>
> I tried with IE as well as MOzilla browser.
> I followed the respective configuration for IE and Mozilla but still not
> able to get the Kerberos token.
>
> It seems that there must be some configuration for the windows machine to
> send kerberos token instead of NTLM.
>
> Could someone please let me know the required configuration to fetch
> kerberos based token from the browser?

Look at Issues 3 and 5 in the Possible Issues section of the following
document:

http://www.ioplex.com/d/Plexcel_Operators_Manual.pdf

Note: Our product is not related to mod_auth_kerb but the protocol and
client configuration is the same.

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

Michael B Allen

unread,
May 15, 2007, 12:02:37 PM5/15/07
to
Hi Vijay and Sriram,

Client configuration and the service account all *looks* good.

Now reboot the client and try again.

If you ever get the Windows "Network Password Dialog" DO NOT enter
anything into it. IE will remember the credentials and try to do NTLM
for the remainder of your logon session.

Get kerbtray.exe from the Resource Kit Tools package
from MS' website and see if you're getting a ticket for
HTTP/ps0749.pers...@OBPS0450.PERSISTENT.CO.IN.

Also, your web server is in persistent.co.in domain but the HTTP service
account was created in the child domain obps0450.persistent.co.in. Is
there any reason why you did that? It should still work if there's a
sufficient trust between the two domains but that might be related to
your problem.

Mike

0 new messages