0

(Debian Squeeze)

I'm trying to set apache up to use Kerberos authentication to allow AD users to log in. It is working, but prompts the user twice for a username and password, with the first time being ignored (no matter what is put it in.) Only the second prompt includes the AuthName string from the config (i.e.: the first windows is a generic username/password one, the second includes the title "Kerberos Login") I'm not worried about integrated windows authentication working at this stage, I just want users to be able to login with their AD account so we don't need to set up a second repository of user accounts.

How do I fix this to eliminate that first useless prompt?

The directives in the apache2.conf file:

<Directory /var/www/kerberos>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms ONEVUE.COM.AU.LOCAL
Krb5KeyTab /etc/krb5.keytab
KrbServiceName HTTP/SYD01TBUG02.onevue.com.au.local@ONEVUE.COM.AU.LOCAL
require valid-user
</Directory>

krb5.conf:

[libdefaults]
    default_realm = ONEVUE.COM.AU.LOCAL
[realms]
    ONEVUE.COM.AU.LOCAL = {
        kdc = SYD01PWDC01.ONEVUE.COM.AU.LOCAL
        master_kdc = SYD01PWDC01.ONEVUE.COM.AU.LOCAL
        admin_server = SYD01PWDC01.ONEVUE.COM.AU.LOCAL
        default_domain = ONEVUE.COM.AU.LOCAL
    }
[login]
    krb4_convert = true
    krb4_get_tickets = false

The access log when accessing the secured directory (note the two seperate 401's)

192.168.10.115 - - [24/Aug/2012:15:52:01 +1000] "GET /kerberos/ HTTP/1.1" 401 710 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1"
192.168.10.115 - - [24/Aug/2012:15:52:06 +1000] "GET /kerberos/ HTTP/1.1" 401 680 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1"
192.168.10.115 - myaccount.lastname@MYDOMAIN.LOCAL [24/Aug/2012:15:52:10 +1000] "GET /kerberos/ HTTP/1.1" 200 375 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1"

And one line in error.log

[Fri Aug 24 15:52:06 2012] [error] [client 192.168.0.115] gss_accept_sec_context(2) failed: An unsupported mechanism was requested (, Unknown error)
DrStalker
  • 6,676
  • 24
  • 76
  • 106

3 Answers3

2

I don't know if you still need the answer, but I hope I will help someone else by sharing my experience. I believe if you follow theese steps, everything will work fine.

  1. Make sure you have proper DNS entry for SYD01TBUG02 (A record) on your DNS server pointing to your webserver
  2. Make sure that you've you have assosiation between SPN of your webservice and AD user. On AD server run this command:

    setspn -A HTTP/SYD01TBUG02.onevue.com.au.local ad_username

  3. Make sure that you've proper keytab generated. Run this command in your AD server:

    ktpass -princ HTTP/SYD01TBUG02.onevue.com.au.local@ONEVUE.COM.AU.LOCAL -mapuser ad_username -pass xxxxxx -crypto ALL -ptype KRB5_NT_PRINCIPAL -out SYD01TBUG02.keytab -setupn -setpass

    where xxxxxx is AD user password. We use -crypto ALL option to make sure we add all supported hashes to the keytab file.
  4. Now you should copy generated SYD01TBUG02.keytab file to your webserver and copy it to the certain directory. For example, let's copy it to the /etc/apache2/keytab/ folder.
  5. Example of apache config file for webservice:
    &ltVirtualHost *:80>
        DocumentRoot "/var/www/kerberos"
        ServerName SYD01TBUG02.onevue.com.au.local
        ServerAlias SYD01TBUG02
        AddDefaultCharset UTF-8
        DirectoryIndex index.php
        ErrorLog /var/log/apache2/error_SYD01TBUG02.log
        TransferLog /var/log/apache2/transfer_SYD01TBUG02.log
        LogLevel warn
        ServerAdmin admin@onevue.com.au
        
        &ltLocation "/">
            AuthType Kerberos
            KrbAuthRealms ONEVUE.COM.AU.LOCAL
            KrbServiceName HTTP/SYD01TBUG02.onevue.com.au.local@ONEVUE.COM.AU.LOCAL
            Krb5Keytab /etc/apache2/keytab/SYD01TBUG02.keytab
            KrbMethodNegotiate on
            KrbMethodK5Passwd on
            KrbVerifyKDC on
            require valid-user    
        &lt/Location>
        &ltDirectory />
        &lt/Directory>
    &lt/VirtualHost> 
    
  6. Reload or restart apache sudo service apache2 reload
  7. Now if you type http://SYD01TBUG02/ in your browser address bar, you will be automatically logged in your web service via SSO (Chrome, Chromium-like browsers and IE support SSO out of box, but there is also a plugin for Firefox).

Hope that will help to set up your Kerberos auth on webserver.

P.S. If you want to enable SSO by full address (e.g. SYD01TBUG02.onevue.com.au.local) you should add SYD01TBUG02.onevue.com.au.local to the intranet zone either via AD Group Policies (if wou need this on several machines in domain) or locally via Internet Explorer settings. Theese settings affect on all browsers installed in system.

bbrody
  • 21
  • 3
1

That's because the first time the user enters u/p an ntlm token is sent to the server. The second time it's the correct kerberos token.

Unfortunately there is no way you can eliminate the first prompt.

Simon
  • 596
  • 1
  • 4
  • 12
0

If single sign on is not a requirement you can disable negotiate by setting 'KrbMethodNegotiate off'. This will give you just a single basic login and also avoid the extra GET request for each transaction.