0

I'm trying to configure kerberos sso in apache at the moment. On the test server the website sub.internal.local workes quite well in reference to the kerb sso. When I try to adopt the config to another apache server, which is opend via sub.external.com I only get a log in dialogue.

So just for my understanding, what do I need to change in the krb5.conf file or the generating of the *.keytab file?

internal.local is our internal active directory domain;

external.com is our default webaddress from the outside, which also works internally because of an internal DNS-lookup zone;

horst
  • 1
  • 1

1 Answers1

0

You have not explained that you went through the basic setup for SPNEGO here, so I'll assume you didn't.

  • Did you create a principal for HTTP/sub.external.com in the KDC?
  • Are you able to obtain a service ticket for HTTP/sub.external.com using either MIT's kvno or Windows klist?
  • Did you update the keytab on the webserver with the extra principal's keys?
  • Have you used a tool like curl to run the SPNEGO auth and read the logs?
  • Did you configure the browser to allow SPNEGO at *.external.com (or whatever domain whitelist is appropriate)?
  • Have you confirmed that the browser does actually perform a Kerberos exchange by readings its logs or at least checking if a ticket for the HTTP principal is fetched?
  • Have you read the server side logs?
Calchas
  • 101
  • 1