I need for Ruby on Rail application set authentication via Active Directory using Kerberos authentication.

Some technical information:

1. I are using Apache
2. installed mod_auth_kerb
3. In httpd.conf I added LoadModule auth_kerb_module modules/mod_auth_kerb.so

4. In /etc/krb5.conf I added following configuration

   [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
   
   [libdefaults]
    default_realm = EU.ORG.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = yes
   
   [realms]
    EU.ORG.COM = {
     kdc = eudc05.eu.org.com:88
     admin_server = eudc05.eu.org.com:749
     default_domain = eu.org.com
    }
   
   [domain_realm]
    .eu.org.com = EU.ORG.COM
    eu.org.com = EU.ORG.COM
   
   [appdefaults]
    pam = {
      debug = true
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }
   

5. When I test kinit validuser and enter password then authentication is successful.

6. klist returns:

   Ticket cache: FILE:/tmp/krb5cc_600
   Default principal: [email protected]
   
   Valid starting     Expires            Service principal
   02/08/13 13:46:40  02/08/13 23:46:47  krbtgt/[email protected]
   
           renew until 02/09/13 13:46:40
   
   Kerberos 4 ticket cache: /tmp/tkt600
   klist: You have no tickets cached
   

7. In application Apache configuration I added

   IfModule mod_auth_kerb.c>
   Location /winlogin>
       AuthType Kerberos
       AuthName "Kerberos Loginsss"
       KrbMethodNegotiate off
       KrbAuthoritative on
       KrbVerifyKDC off
       KrbAuthRealms EU.ORG.COM
       Krb5Keytab /home/crmdata/httpd/apache.keytab
       KrbSaveCredentials off
       Require valid-user
     </Location>
   </IfModule>
   

8. I restarted apache

Now some tests:

1. When I try to access application from Win7, I got pop-up message box, with text:

   Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentification without a secure connection)
   

2. When I enter valid credentials then my application opens successfully, and all works fine.

Questions:

1. Is ok that for user pop-ups such windows? If I use NTLM authentication then there no such pop-up. I checked IE Internet Options and there 'Enable Integrated Windows Authentication' is checked.

2. Why IE try to send username and password to application apache? If I correct to understand then Windows self must make authentication via Active Directory using Kerberos protocol.

3. When I try to access application from Win7 and I enter incorrect credentials to pop-up message box

   • Application say Authentication failed (this is OK)

   • In apache error log I see:

     [error] [client 192.168.56.1] krb5_get_init_creds_password() failed: Client not found in Kerberos database 
     

   • But now I cannot get possibility to enter valid credentials, only when I restart IE I can get again pop-up box.

What could be incorrect or missing in my Kerberos setup?

I read in some blog post that probably something is needed to be done in Active Directory side. What exactly?