Hi, I have two Apache 2.2.15 servers running on Redhat 6.7, both of which are using the mod_auth_kerb module to authenticate users. As far as I can see the apache and module config is identical, but I’m seeing different behaviour when a user
enters an invalid username. One will just reprompt for the credentials, the other gives a 403 Forbidden error. This doesn’t happen when the user enters an invalid password with a valid user, in this instance the user gets reprompted for the password. My auth_kerb.conf file is identical apart from the keytab filename on both: LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /idp/Authn/RemoteUser> SSLRequireSSL AuthType Kerberos AuthName "Shib Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.AC.UK Krb5KeyTab /etc/shibdevkerb.keytab KrbSaveCredentials On KrbServiceName HTTP/server.dev.publicdomain.ac.uk@xxxxxxxxxxxx require valid-user </Location> I can successfully perform a kinit on both, so Kerberos is working ok as far as I can tell. However I’m not sure why the invalid user would be rejected on one and not the other. The error log on the failing server shows: [Tue Aug 18 11:29:58 2015] [error] [client 192.168.219.233] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error), referer:
https://server.publicdomain.ac.uk/CookieAuth.dll?GetLogon?curl=Z2FidpZ2FAuthnZ2FRemoteUser&reason=0&formdir=2 For reference, this server is part of a Shibboleth IdP setup, published to the internet using MS Forefront TMG. Once authentication has happened, the Apache server passes onto a Tomcat server for the Shibboleth functions to run using the
RemoteUser handler. Can somebody please point out just where I might be able to find the thing that is different between these servers in order to resolve this? Cheers, Andi |