0

I'm currently trying to configure Kerberos on our Apache and unfortunately I can't get any further. The website (Typo3) on the apache is accessed internally and externally with sub.domain.com The local domain is intern.local

I created the keytab file like this:

ktpass -princ HTTP/sub.domain.com@INTERN.LOCAL -mapuser kerb@intern.local -pass P@55w0rd -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\temp\kerbkey.keytab

The krb5.conf file looks like this:

[libdefaults]
        default_realm = INTERN.LOCAL

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        INTERN.LOCAL = {
                kdc = dc01.intern.local
                admin_server = dc01.intern.local
                default_domain = intern.local
        }

[domain_realm]
        .sub.domain.com = INTERN.LOCAL
        sub.domain.com = INTERN.LOCAL
        intern.local = INTERN.LOCAL
        .intern.local = INTERN.LOCAL

the Apache vhost looks like this:

<VirtualHost *:443>
    ServerName sub.domain.com
    ServerAdmin it-administration@domain.com
    DocumentRoot /var/www/page

    <Directory /var/www/page>
     AllowOverride All
    </Directory>

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/wildcart-zert.crt
    SSLCertificateKeyFile /etc/apache2/ssl/wildcart-key.key

<IfModule !mod_auth_gssapi.c>
    LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_gssapi.so
</IfModule>

LimitRequestFieldSize 32768
  <Location "/">
 AuthName kerb@INTERN.LOCAL
 AuthType GSSAPI
 GssapiBasicAuth On
 GssapiCredStore keytab:/etc/apache2/krb5/kerbkey.keytab
 Require valid-user
  </Location>

    ErrorLog ${APACHE_LOG_DIR}/page-ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/page-ssl_access.log combined
</VirtualHost>

The problem now is, if I activate the vhost config like this, then when I call up the page https://sub.domain.com, I always get a browser popup to enter the username and password. And no matter what I type here, I can't get to the web page and just get the error:

Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Apache/2.4.41 (Ubuntu) Server at sub.domain.com Port 443

apache error log show this entries:

[auth_gssapi:error] [pid 1632875] [client x.x.x.x:65394] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)]
horst
  • 1
  • 1
  • I´m still messing around with this problem. On a test server the same configuration works without any problems. The only difference is on the test server I call the domain with sub.internal.local and on the productive server I open the page with sub.external.com in the browser... this drives me nuts! – horst Feb 03 '22 at 09:13

1 Answers1

0

apache error log show this entries:

wrong login credential:

[auth_gssapi:error] [pid 945597] [client x.x.x.x:60415] GSS ERROR In Basic Auth: gss_acquire_cred_with_password() failed: [Unspecified GSS failure.  Minor code may provide more information (Preauthentication failed)]

correct login credential:

[auth_gssapi:error] [pid 945593] [client x.x.x.x:63197] GSS ERROR gss_init_sec_context(): [Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)]
horst
  • 1
  • 1