Eric Covener wrote: > On Wed, Nov 26, 2008 at 9:07 AM, Carsten Aulbert > <carsten.aulbert@xxxxxxxxxx> wrote: >> Hi all, >> >> we experience something weird here. We are running Apache 2.2.3 with >> mod_auth kerb 5.3 on Debian Etch. Authentication against a remote >> Kerberos server (V5) works but when I access web pages with a lot of >> (embedded) images, several pop-ups appear, asking me to identify myself >> again. > > Normally, your browser doesn't bother you if it has already prompted > you for a matching REALM and the host/port/path of the subsequent > request is "underneath" the first place it authenticated. How are the > URL's your re-prompted for related to the first URL? They are just relative to the main page, e.g. image src="jpeg/image.jpg" and so on... After turning on debugging in the server I now see more details (sorry for the line wraps): [Wed Nov 26 19:59:11 2008] [info] Subsequent (No.20) HTTPS request received for child 9 (server SERVER:443) [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1485): [client X.Y.Z.22] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, refer er: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(940): [client X.Y.Z.22] Using HTTP/SERVER@xxxxxxxx as server principal for pa ssword verification, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(680): [client X.Y.Z.22] Trying to get TGT for user carsten@xxxxxxxxxxxx, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1019): [client X.Y.Z.22] kerb_authenticate_user_krb5pwd ret=0 user=carsten@xxxxxxxxxxxx authtype=B asic, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1019): [client X.Y.Z.22] kerb_authenticate_user_krb5pwd ret=0 user=carsten@xxxxxxxxxxxx authtype=B asic, referer: https://SERVER/~christian/LSC/coherent03/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(609): [client X.Y.Z.22] krb5_get_credentials() failed when verifying KDC, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [error] [client X.Y.Z.22] failed to verify krb5 credentials: Request is a replay, referer: https://SERVER /~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1019): [client X.Y.Z.22] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(594): [client X.Y.Z.22] Trying to verify authenticity of KDC using principal HTTP/SERVER@xxxxxxxx, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(594): [client X.Y.Z.22] Trying to verify authenticity of KDC using principal HTTP/SERVER@xxxxxxxx, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(594): [client X.Y.Z.22] Trying to verify authenticity of KDC using principal HTTP/SERVER@xxxxxxxx, referer: https://SERVER/~username/PROTECTED/dir/ [Wed Nov 26 19:59:11 2008] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#893340 [mem: 8a48b0] (BIO dump follows) especially this line about the replay looks fishy, right? I'm still completely puzzled by this. Anyone less puzzled? Cheers, Carsten --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|