Problems set-up Single Sign-On using Kerberos authentication
- by user1124133
I need for Ruby on Rail application set authentication via Active Directory using Kerberos authentication.
Some technical information:
I are using Apache
installed mod_auth_kerb
In httpd.conf I added LoadModule auth_kerb_module modules/mod_auth_kerb.so
In /etc/krb5.conf I added following configuration
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EU.ORG.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EU.ORG.COM = {
kdc = eudc05.eu.org.com:88
admin_server = eudc05.eu.org.com:749
default_domain = eu.org.com
}
[domain_realm]
.eu.org.com = EU.ORG.COM
eu.org.com = EU.ORG.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
When I test kinit validuser and enter password then authentication is successful.
klist returns:
Ticket cache: FILE:/tmp/krb5cc_600
Default principal: [email protected]
Valid starting Expires Service principal
02/08/13 13:46:40 02/08/13 23:46:47 krbtgt/[email protected]
renew until 02/09/13 13:46:40
Kerberos 4 ticket cache: /tmp/tkt600
klist: You have no tickets cached
In application Apache configuration I added
IfModule mod_auth_kerb.c>
Location /winlogin>
AuthType Kerberos
AuthName "Kerberos Loginsss"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealms EU.ORG.COM
Krb5Keytab /home/crmdata/httpd/apache.keytab
KrbSaveCredentials off
Require valid-user
</Location>
</IfModule>
I restarted apache
Now some tests:
When I try to access application from Win7, I got pop-up message box, with text:
Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentification without a secure connection)
When I enter valid credentials then my application opens successfully, and all works fine.
Questions:
Is ok that for user pop-ups such windows? If I use NTLM authentication then there no such pop-up.
I checked IE Internet Options and there 'Enable Integrated Windows Authentication' is checked.
Why IE try to send username and password to application apache? If I correct to understand then Windows self must make authentication via Active Directory using Kerberos protocol.
When I try to access application from Win7 and I enter incorrect credentials to pop-up message box
Application say Authentication failed (this is OK)
In apache error log I see:
[error] [client 192.168.56.1] krb5_get_init_creds_password() failed: Client not found in Kerberos database
But now I cannot get possibility to enter valid credentials, only when I restart IE I can get again pop-up box.
What could be incorrect or missing in my Kerberos setup?
I read in some blog post that probably something is needed to be done in Active Directory side. What exactly?
