Problems set-up Single Sign-On using Kerberos authentication
Posted
by
user1124133
on Server Fault
See other posts from Server Fault
or by user1124133
Published on 2013-02-13T19:43:23Z
Indexed on
2014/06/07
21:27 UTC
Read the original article
Hit count: 269
I need for Ruby on Rail application set authentication via Active Directory using Kerberos authentication.
Some technical information:
- I are using Apache
- installed mod_auth_kerb
- In httpd.conf I added LoadModule auth_kerb_module modules/mod_auth_kerb.so
In /etc/krb5.conf I added following configuration
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EU.ORG.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EU.ORG.COM = { kdc = eudc05.eu.org.com:88 admin_server = eudc05.eu.org.com:749 default_domain = eu.org.com } [domain_realm] .eu.org.com = EU.ORG.COM eu.org.com = EU.ORG.COM [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
When I test kinit validuser and enter password then authentication is successful.
klist returns:
Ticket cache: FILE:/tmp/krb5cc_600 Default principal: [email protected] Valid starting Expires Service principal 02/08/13 13:46:40 02/08/13 23:46:47 krbtgt/[email protected] renew until 02/09/13 13:46:40 Kerberos 4 ticket cache: /tmp/tkt600 klist: You have no tickets cached
In application Apache configuration I added
IfModule mod_auth_kerb.c> Location /winlogin> AuthType Kerberos AuthName "Kerberos Loginsss" KrbMethodNegotiate off KrbAuthoritative on KrbVerifyKDC off KrbAuthRealms EU.ORG.COM Krb5Keytab /home/crmdata/httpd/apache.keytab KrbSaveCredentials off Require valid-user </Location> </IfModule>
I restarted apache
Now some tests:
When I try to access application from Win7, I got pop-up message box, with text:
Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentification without a secure connection)
When I enter valid credentials then my application opens successfully, and all works fine.
Questions:
Is ok that for user pop-ups such windows? If I use NTLM authentication then there no such pop-up. I checked IE Internet Options and there 'Enable Integrated Windows Authentication' is checked.
Why IE try to send username and password to application apache? If I correct to understand then Windows self must make authentication via Active Directory using Kerberos protocol.
When I try to access application from Win7 and I enter incorrect credentials to pop-up message box
- Application say Authentication failed (this is OK)
In apache error log I see:
[error] [client 192.168.56.1] krb5_get_init_creds_password() failed: Client not found in Kerberos database
But now I cannot get possibility to enter valid credentials, only when I restart IE I can get again pop-up box.
What could be incorrect or missing in my Kerberos setup?
I read in some blog post that probably something is needed to be done in Active Directory side. What exactly?
© Server Fault or respective owner