Apache SSO with kerberos and Active Directory error

Question

I have this scenario: a windows 2008 R2 Domain and a linux server (CentOs) with Apache.

I need to configure SSO using kerberos in order to permit our internal client using IE or Chrome to authenticate on a website without asking for a password.

In order to do this i follow this tutorial https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperability.

My Apache conf file for the site is:

AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms <MYREALM>
KrbServiceName HTTP/OTRS5@<MYREALM>
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbSaveCredentials Off
KrbVerifyKDC Off
Require valid-user

Now when I try to connect to the site I receive a 401 code.

On error.log I found :

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/OTRS5@<MYREALM>
Verifying client data using KRB5 GSS-API  
Client didn't delegate us their credential

On journalctl:

GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

I'm totally clueless about it.

Can you help me? Regards Francesco

score 0 · Accepted Answer · answered Aug 25 '16 at 16:02

I have found the issue. 1) I have enable the kerberos loggin on the DC https://support.microsoft.com/en-us/kb/262177

2) After check again the login I found this error under the Security Log: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/ (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for HTTP/ in Active Directory. 3) I use this procedure to find the duplicate entry https://support.microsoft.com/en-us/kb/321044

4) I use Active Directory User and Computer to remove the duplicate entry: a) Open ADUAC b) View->Advanced Features c) Open the object with duplicate entry d) Open the Attribute Editor e) select servicePrincipalName and delete the entry f)disable again kerberso logging

Bye Francesco

Apache SSO with kerberos and Active Directory error

1 Answers1