0

I am using a Windows 2022 Server running the active directory (server.local) and a Debian 10 Server running Apache.

When accessing the Site with Chrome or Internet Explorer it returns a 401 Status Code and the error.log has an gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error) error in it.

Things I have already checked/done:

  • As suggested here Browsermatch and regenerate Keytab File
  • Check that Apache has access to the file
  • Set Site as Intranet Website in Internet Explorer

I created the Config following this Tutorial

krb5.conf File

[libdefaults]
        default_realm = SERVER.LOCAL
[realms]
SERVER.LOCAL = {
        kdc = SERVER.LOCAL
        master_kdc = SERVER.LOCAL
        admin_server = SERVER.LOCAL
        default_domain = SERVER.LOCAL
        }
[login]
        krb4_convert = true
        krb4_get_tickets = false

Keytab Creation Command
ktpass -princ HTTP/debian@SERVER.LOCAL -mapuser suakerberos@SERVER.LOCAL -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass "Passwort123@" -out c:\krb5.keytab -in c:\krb5.keytab

My apache2.conf

    AuthType Kerberos
    BrowserMatch Windows gssapi-no-negotiate
    KrbAuthRealms SERVER.LOCAL
    KrbServiceName HTTP
    Krb5Keytab /etc/krb5.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    require valid-user
  </Directory>

Any help is appreciated

dwaltsch
  • 1
  • 1
  • 1) **What URL** are you using to access the website? (Is it `http://debian` or not?) 2) Have you tested the same site with Firefox (after enabling negotiate auth in Fx)? 3) Does the ticket for HTTP/debian show up in the client's `klist`? – user1686 Jul 23 '22 at 10:13
  • (Also, don't use mod_auth_kerb in new systems (it's obsolete) – use mod_auth_gssapi instead – and don't use such weak passwords for your service accounts... and don't use RC4-HMAC if you can avoid it. Why are you using RC4-HMAC?? **That tutorial is just bad in every way.**) – user1686 Jul 23 '22 at 10:16
  • Thank you for the help, I managed to fix it by generating new Keytab Files this time with a new user: `ktpass -princ HTTP/host.server.local@SERVER.LOCAL -pass Kennwort123! -mapuser username -Ptype KRB5_NT_PRINCIPAL -out krb5.keytab` . With this one I can access test.server.local with no problems and the authentication works – dwaltsch Jul 25 '22 at 07:03

0 Answers0