I am trying to set up SSO on my Apache web server using Kerberos so that users logged into the local domain are recognised and logged in immediately.
I have followed this guide to the letter but I cannot get rid of the user/password prompt once everything is set up.
I am using Ubuntu 8.04, have installed mod_auth_kerb 5.4 for Apache.
My /etc/krb5.conf:
[libdefaults]
default_realm = COMPANY.LOCAL
[domain_realm]
.company.local = COMPANY.LOCAL
company.local = COMPANY.LOCAL
[realms]
COMPANY.LOCAL = {
default_domain = company.local
kdc = DC01.COMPANY.LOCAL:88
admin_server = DC01.COMPANY.LOCAL
}
My Apache configuration:
<Location />
AuthType Kerberos
AuthName "server login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms COMPANY.LOCAL
KrbServiceName HTTP
Krb5KeyTab /etc/apache2/httpd.keytab
KrbVerifyKDC off
KrbLocalUserMapping on
require valid-user
</Location>
Keytab was generated by our admin using
ktpass -princ HTTP/hostname.company.local@COMPANY.LOCAL -mapuser hostname -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass CHOOSEPASSWORD -out httpd.keytab
I have issued the relevant chmod/chown commands. On the server, I successfully issued kinit HTTP/hostname.company.local@COMPANY.LOCAL
and logged in.
kvno
/ klist
output:
# kvno HTTP/hostname.company.local@COMPANY.LOCAL
HTTP/hostname.company.local@COMPANY.LOCAL: kvno = 8
# klist -ke httpd.keytab
Keytab name: FILE:httpd.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 HTTP/hostname.company.local@COMPANY.LOCAL (ArcFour with HMAC/md5)
I have configured my browser (tried both ff and ie on windows7) to pass the credentials along to hopefully get rid of the prompt but it is not working.
The Apache error logs are saying:
[error] [client 10.0.0.1] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect)
[error] [client 10.0.0.1] gss_accept_sec_context() failed: Invalid token was supplied (, No error)
Has anyone got any suggestions as to what I need to get this working?