Hi,
I have two Apache 2.2.15 servers running on Redhat 6.7, both of which are using the mod_auth_kerb module to authenticate users. As far as I can see the apache and module config is identical, but I’m seeing different behaviour when a user
enters an invalid username. One will just reprompt for the credentials, the other gives a 403 Forbidden error. This doesn’t happen when the user enters an invalid password with a valid user, in this instance the user gets reprompted for the password.
My auth_kerb.conf file is identical apart from the keytab filename on both:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /idp/Authn/RemoteUser>
SSLRequireSSL
AuthType Kerberos
AuthName "Shib Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.AC.UK
Krb5KeyTab /etc/shibdevkerb.keytab
KrbSaveCredentials On
KrbServiceName HTTP/server.dev.publicdomain.ac.uk@xxxxxxxxxxxx
require valid-user
</Location>
I can successfully perform a kinit on both, so Kerberos is working ok as far as I can tell. However I’m not sure why the invalid user would be rejected on one and not the other.
The error log on the failing server shows:
[Tue Aug 18 11:29:58 2015] [error] [client 192.168.219.233] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error), referer:
https://server.publicdomain.ac.uk/CookieAuth.dll?GetLogon?curl=Z2FidpZ2FAuthnZ2FRemoteUser&reason=0&formdir=2
For reference, this server is part of a Shibboleth IdP setup, published to the internet using MS Forefront TMG. Once authentication has happened, the Apache server passes onto a Tomcat server for the Shibboleth functions to run using the
RemoteUser handler.
Can somebody please point out just where I might be able to find the thing that is different between these servers in order to resolve this?
Cheers,
Andi
