[users@httpd] Apache Kerberos fails when credentials passed in manually from browser prompt.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have set up and Apache web server to secure a directory using Kerberos. I
am finding that if "Integrated Windows Authenticaion" is turned on in
Internet Explorer a user can access the secured directory on the web server.
However, if I turn off the "Windows Integrated Authentication" I get
prompted for a password. This is what I expected to happen, but when I enter
a valid Active directory account and password, I still get Access Denied. My
understanding of Kerberos and IE is that if "Integrated Windows
Authentication" is turned on, the browser will send the IE user's username
and password to AD to get a ticket. Can anyone tell me why I can
authenticate when IE passes my credentials but cannot authenticate when I am
prompted and enter them in manually? 

My Apache config, and keytab config can be found below: 


<Directory "/srv/www/private"> 
Order allow,deny 
Allow from all 

Options Indexes 
        AuthType Kerberos 
        AuthName "Kerberos Login" 
        KrbMethodNegotiate On 
        KrbMethodK5Passwd On 
        KrbAuthRealms IDFBINS.COM 
        Krb5Keytab  /srv/www/apache.keytab 
        Require valid-user 
</Directory> 

[libdefaults] 
        default_realm = IDFBINS.COM 
        clockskew = 300 

[realms] 
IDFBINS.COM = { 
        kdc = fbms2010.idfbins.com 
        default_domain = nexustest.idfbins.com 
        admin_server = fbms2010.idfbins.com 
[libdefaults] 
        default_realm = IDFBINS.COM 
        clockskew = 300 

[realms] 
IDFBINS.COM = { 
        kdc = fbms2010.idfbins.com 
        default_domain = nexustest.idfbins.com 
        admin_server = fbms2010.idfbins.com 
} 
EXAMPLE.COM = { 
        kdc = kerberos.example.com 
        admin_server = kerberos.example.com 
} 

[logging] 
        kdc = FILE:/var/log/krb5/krb5kdc.log 
        admin_server = FILE:/var/log/krb5/kadmind.log 
        default = SYSLOG:NOTICE:DAEMON 
[domain_realm] 
        .nexustest@xxxxxxxxxxx = IDFBINS.COM 
        .nexustest.idfbins.com = IDFBINS.COM 
[appdefaults] 
pam = { 
        ticket_lifetime = 1d 
        renew_lifetime = 1d 
        forwardable = true 
        proxiable = false 
        retain_after_close = false 
        minimum_uid = 0 
        try_first_pass = true 
} 


-- 
View this message in context: http://www.nabble.com/Apache-Kerberos-fails-when-credentials-passed-in-manually-from-browser-prompt.-tf2655845.html#a7408066
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux