1

I am trying to setup single-sign on against our Active Directory server for my Apache using the mod_auth_kerb module.

I have the following configuration in Apache:

AuthType      Kerberos
AuthName      "Test"
KrbAuthRealms COMPANY.LOCAL
Krb5Keytab    /etc/apache2/http.keytab

The keytab was created with the following command:

ktpass -out http.keytab \
       -princ HTTP/myserver.company.local@COMPANY.LOCAL \
       -pass <REDACTED> \
       -mapuser COMPANY\myserver-HTTP \
       -crypto AES256-SHA1 \
       -ptype KRB5_NT_PRINCIPAL

I have verified that the principal in the keytab is also added to the account name.

I have another server with similar configuration where it works; the users are authenticated without a password prompt.

Any ideas on how to further troubleshoot this problem?

Christoffer Reijer
  • 387
  • 1
  • 3
  • 14
  • Any usefull logs ? – Froggiz Nov 20 '15 at 13:15
  • An output from `ktpass` could also be useful. What are Windows domain level and kvno value? Can you provide us the contents of krb5.conf file? What OS is your Apache httpd running on? – sam_pan_mariusz Nov 20 '15 at 13:27
  • what encryption type mod_auth_kerb supports? Instead of restricting to only one type, can you include more/all encryption types in "crypto" option? Also if you run ktpass in AD domain you shouldn't have to put domain qualifier in "mapuser" parameter - however I can't say that including doamain will definitely cause problem. – strongline Nov 20 '15 at 14:15
  • @strongline This use of `-mapuser` is perfectly valid and works for me. And for the `-crypto`-part - it's worth to try with a weak *RC4-HMAC-NT* and try to upgrade to the strongest, correctly working one. – sam_pan_mariusz Nov 20 '15 at 16:25
  • Are the permissions correct when you've moved the file to your linux box? Also do the KVNO's match? I had problems where they weren't matched and it wouldn't login but would with a manual u/p entry. – dmurray Feb 05 '16 at 15:40

1 Answers1

0

You need to set KrbMethodK5Passwd off in your apache conf file

NKP
  • 1