Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Kerberos/Apache receiving Active Directory user/password in plain text

16 views
Skip to first unread message

LUISRAMOS

unread,
Oct 29, 2009, 11:04:13 AM10/29/09
to kerb...@mit.edu

Hi all,

We have a unix web server with Apache were we installed kerberos to
implement single sign on. The idea with this is to have the ability of
autenticating through the Windows Active Directory once not needing to log
again in the unix box. After the setup, the autentication works. When we
log in to the unix server, a popup window asks for user/pwd. After entering
user/pwd the credentials are autenticated against the windows active
directory and the access to the unix/apache box is granted. However, what
we want is to avoid this login popup. We noticed that when the popup window
is displayed the following message is seeing in the popup: "Warning: This
server is requesting that your username and password be sent in an insecure
manner (basic authentication without a secure connection). Looks like the
internet browser is sending the credentials in plain text to the unix box.

Anybody has an idea on how we can configure Kerberos, or any other component
to avoid this popup window.

Thanks in advance
--
View this message in context: http://www.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26114792.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

Michael Ströder

unread,
Oct 30, 2009, 4:41:21 PM10/30/09
to
LUISRAMOS wrote:
> We have a unix web server with Apache were we installed kerberos to
> implement single sign on.

I guess you're using mod_auth_kerb?

> The idea with this is to have the ability of
> autenticating through the Windows Active Directory once not needing to log
> again in the unix box. After the setup, the autentication works. When we
> log in to the unix server, a popup window asks for user/pwd. After entering
> user/pwd the credentials are autenticated against the windows active
> directory and the access to the unix/apache box is granted. However, what
> we want is to avoid this login popup. We noticed that when the popup window
> is displayed the following message is seeing in the popup: "Warning: This
> server is requesting that your username and password be sent in an insecure
> manner (basic authentication without a secure connection). Looks like the
> internet browser is sending the credentials in plain text to the unix box.
>
> Anybody has an idea on how we can configure Kerberos, or any other component
> to avoid this popup window.

Set "KrbMethodK5Passwd off" in httpd.conf.

See also: http://modauthkerb.sourceforge.net/configure.html

Ciao, Michael.

--
Michael Str�der
E-Mail: mic...@stroeder.com
http://www.stroeder.com

LUISRAMOS

unread,
Nov 2, 2009, 10:15:05 AM11/2/09
to kerb...@mit.edu

> Michael Ströder
> E-Mail: mic...@stroeder.com
> http://www.stroeder.com
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
============================
Michael, I changed the parameter and got this message:

Authorization Required
This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password),
or your browser doesn't understand how to supply the credentials required.


--------------------------------------------------------------------------------

Apache/2.0.52 (Unix) DAV/2 mod_auth_kerb/5.4 Server at prcognosweb Port 80

--
View this message in context: http://old.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26157127.html

Michael Ströder

unread,
Nov 3, 2009, 2:04:09 AM11/3/09
to
LUISRAMOS wrote:
>
> Michael Ströder wrote:
>> LUISRAMOS wrote:
>>> We have a unix web server with Apache were we installed kerberos to
>>> implement single sign on.
>> I guess you're using mod_auth_kerb?
>>
>>> The idea with this is to have the ability of autenticating through the
>>> Windows Active Directory once not needing to log again in the unix box.
>>> After the setup, the autentication works. When we log in to the unix
>>> server, a popup window asks for user/pwd. After entering user/pwd the
>>> credentials are autenticated against the windows active directory and
>>> the access to the unix/apache box is granted. However, what we want is
>>> to avoid this login popup. We noticed that when the popup window is
>>> displayed the following message is seeing in the popup: "Warning: This
>>> server is requesting that your username and password be sent in an
>>> insecure manner (basic authentication without a secure connection).
>>> Looks like the internet browser is sending the credentials in plain
>>> text to the unix box.
>>>
>>> Anybody has an idea on how we can configure Kerberos, or any other
>>> component to avoid this popup window.
>>
>> Set "KrbMethodK5Passwd off" in httpd.conf.
>>
>> See also: http://modauthkerb.sourceforge.net/configure.html
>
> Michael, I changed the parameter and got this message:
>
> Authorization Required
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.

Well, you have to set up your environment to let the browser use SPNEGO/Kerberos.

Ciao, Michael.

LUISRAMOS

unread,
Nov 6, 2009, 1:12:50 PM11/6/09
to kerb...@mit.edu

We tried using the GSS module and it worked smoothly for Solaris 10, since
the apache for this solaris version brings all the needed modules off the
shelf. However, we havent been able to make it work in Solaris 9, looks
like we might be having an issue with the libraries needed to replicate the
same components Solaris 10 has. When we look at the error logs for Solaris
9 this is what we get.

Client wants GSS mech: <unknown>

For Solaris 10, which it works nicely this is the meesage:

Client wants GSS mech: spnego

We are testing different alternatives with the compilation of the gss module
to see what could we be missing.

Regards

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--
View this message in context: http://old.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26230848.html

Douglas E. Engert

unread,
Nov 6, 2009, 2:40:46 PM11/6/09
to LUISRAMOS, kerb...@mit.edu

LUISRAMOS wrote:
> We tried using the GSS module and it worked smoothly for Solaris 10, since
> the apache for this solaris version brings all the needed modules off the
> shelf. However, we havent been able to make it work in Solaris 9, looks
> like we might be having an issue with the libraries needed to replicate the
> same components Solaris 10 has. When we look at the error logs for Solaris
> 9 this is what we get.
>
> Client wants GSS mech: <unknown>
>
> For Solaris 10, which it works nicely this is the meesage:
>
> Client wants GSS mech: spnego
>
> We are testing different alternatives with the compilation of the gss module
> to see what could we be missing.
>

Solaris 9 is pretty old, and Sun did not expose the Kerberos API. We always
used the MIT Kerberos on Solair 9. Solaris 10 is much better, and Sun keeps it
more up to date, and has exposed the Kerberos API.

If you are not on the modauthk...@lists.sourceforge.net you should be.
There is a Solaris discussion going on there.


> Regards

>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

0 new messages