0

I use a helpdesk system in our intranet that I've configured for Single-Sign-On via LDAP/Active Directory.

The helpdesk server itself lives on an Ubuntu 16.04 Server box running on Apache, Server version: Apache/2.4.18 (Ubuntu) Server built: 2018-04-18T14:53:04

It has two portals, one for the Agents to login and one for the Clients/End-Users to login and check on their tickets they've put in.

I have the client one functioning, it auto-logins and works flawlessly.

However the Agent Portal is still experiencing issues. LDAP/AD works fine, because Agents can still authenticate using their Active Directory credentials, it does not however log them in seamlessly via SSO as it should.

I am getting the current errors in my Apache log and I'm not sure what they're trying to tell me.

[Fri Sep 07 06:26:01.351695 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1971): [client 10.1.11.57:50052] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Sep 07 06:26:01.351711 2018] [core:trace3] [pid 64957] request.c(119): [client 10.1.11.57:50052] auth phase 'check user' gave status 401: /scp/tickets.php
[Fri Sep 07 06:26:01.351747 2018] [http:trace3] [pid 64957] http_filters.c(1129): [client 10.1.11.57:50052] Response sent with status 401, headers:
[Fri Sep 07 06:26:01.351754 2018] [http:trace5] [pid 64957] http_filters.c(1136): [client 10.1.11.57:50052]   Date: Fri, 07 Sep 2018 13:26:01 GMT
[Fri Sep 07 06:26:01.351760 2018] [http:trace5] [pid 64957] http_filters.c(1139): [client 10.1.11.57:50052]   Server: Apache
[Fri Sep 07 06:26:01.351768 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   WWW-Authenticate: Negotiate
[Fri Sep 07 06:26:01.351774 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   WWW-Authenticate: Basic realm=\\"Kerberos Login\\"
[Fri Sep 07 06:26:01.351780 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Content-Length: 381
[Fri Sep 07 06:26:01.351793 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Keep-Alive: timeout=5, max=100
[Fri Sep 07 06:26:01.351799 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Connection: Keep-Alive
[Fri Sep 07 06:26:01.351804 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Content-Type: text/html; charset=iso-8859-1
[Fri Sep 07 06:26:01.351826 2018] [core:trace6] [pid 64957] core_filters.c(525): [client 10.1.11.57:50052] core_output_filter: flushing because of FLUSH bucket
[Fri Sep 07 06:26:01.352918 2018] [core:trace5] [pid 64957] protocol.c(653): [client 10.1.11.57:50052] Request received from client: GET /scp/tickets.php HTTP/1.1
[Fri Sep 07 06:26:01.352952 2018] [http:trace4] [pid 64957] http_request.c(394): [client 10.1.11.57:50052] Headers received from client:
[Fri Sep 07 06:26:01.352958 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Host: osticket.mydomain.com
[Fri Sep 07 06:26:01.352964 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Connection: keep-alive
[Fri Sep 07 06:26:01.352976 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Authorization: Negotiate YIIH7QYGKwYBBQUCoIIH4TCCB92gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB6cEggejYIIHnwYJKoZIhvcSAQICAQBuggeOMIIHiqADAgEFoQMCAQ6iBwMFACAAAACjggW9YYIFuTCCBbWgAwIBBaENGwtOSFNPQ0FMLkNPTaInMCWgAwIBAqEeMBwbBEhUVFAbFG9zdGlja2V0Lm5oc29jYWwuY29to4IFdDCCBXCgAwIBF6EDAgEMooIFYgSCBV51E6PV42YBaCCG0Zr20SuBkqOyNzqw9CfixGSgwnhJ/892+uP6Ep+n+paE3vElApTDA5J5ufzYzpL8m+u2uIO8/RECD5c5yCee1qH8s4LKCa9Idjs36032eeQvhLe9GUaD3FOkBzTxdbjZty4mgqqcRXQDfJpEYVsTAlBAOVYPDkI/nQVZz00VEKklrQxw6bDupXX77W8iaksZ9CsA/M93kSvAKFKz5fskM9n9mCQ0W9YfQwBU4A3ni83byitdXePQ1g6oaVkpaX3avj6nD2YP3qG0ekyOirQ41JTcXud8RBRJhYkrqRy+ttws34RCjOwY6JlvOu7WdQSgppkGSXbH+bnMpcoM7fg3m1t0CfGvdI4NRr/5+r7YSkMEetkOiBu49jlz5AM7LU3m2Z5d8ZnaXtWfuAvv+26Skz+UR4+t6GlsKPxycBsx+LfGETtVGqwWbAwq9T9fCF7blPgEM8qdCNcR16QVc9RvLg+avDUFkrPysvIR10xtgoqdLfje2aUZL1mXcpLWzljjPm7J9RhZaWFqwXwBEShYwnvwys3ommWCCFOANrwccYuf6XcSdEF6/7srZdJhXu4orRrGyJbzkKikIU6wkyqiOyygJTDptw8kNXEZTcK3FLra3NG6Y3iRaw25f0b0Wv9cwGcTcIdn8lss2TowE91Q35csEq4ASq2bfZoq7aP384vuSOhLO0NgwxGZcF9nIEk3BqFPCdoBjsZbfKxPgSRN8WCVOscgiyWtLK4niQCa3hxYGI2po3ONIaXknR7WkcotSAk9hozeK3YiIcx5tNJkY0AWOslRMPbk3yn+e8KaOF1abtTKfp2zU96XQqdrArGh2a/ZOkea0JmcEMWKWmzlr+MUoHZfalu4ed8q5N2Ij80q6oRrnoTwINuxShOwae/N/PwGKv74fJAe/MBaHRi/glCQ7clnljDSkx40Cz+8BzNhrH1iE8vug++U14/a4Epi1Hw5YWEabskIriyz6mM0CB9afNXvkHNrNkknSDZRekV3HzWv0kHlb3rV9QKWsO0Esv12H4INga/tOggKEE4KOOV+Wm3KzHyR7vuoHUOYEOsb1LgSDcJkjl9h61RReRvHcmWKsWZUrmZJpRr7sACEgkbssCyHD4Be/78REQ4THGOZXnkm584zBTtqh4ARS3Yn09iJAQA7YxjltNGMn2/ELXJEvdiFbDkjqFMWLnTnzqrMjSzl2gwt24fxtuZeg7y+c0YkMoUMdVGMBT5bYQzyQJ9InuzYAueUrUBzrQUPEgsBokJUR2XwsFHSSC8lFjbpeN0GYK/w1kcuxg4QTQYosg1LopDUJMSJkPYE0oITntp9BQFMYw8NopxHzFgS7W6wPeT1e1SiKxtZJlD0AoOrDoHhKcZ6qCxD0avG8GnHQqG1mU06IALsdZxMeZgWjI72cWFJnD7q9VuHs4n/P6h3OIlnIaJaQo2kXnO1+ux/WZs4g02p58GCjvyLjdvhoAnrnAABrKcVVmzZYNXW5wqURQrbw2z/NgLb6OXuJ4OsY7V6B+WHaAZXdUVsoogA3rtNR5mOF0iiTfH/w3W4U7J0bYKx5RI3qEvT9Jr8io3A+6V9l2awr3l1LtbeBNNH0SXIVGoK3TUdh9vsMADv+BRnagwaH4dDE+APbARbY7VuN8Tac62p8t2yauZ+VDIqSN2GWQm6yNqzPExkv11U5d5TdLd1HHO56KDl4y4lLI4Z2r4NVx6sfom9oyvPfzFb+ILHwqdv6FouT7FmvUNUXJvwK9E893HrGWyJmucsccVhesmz2gBckLVCUNC3fGicz9kwAWcML8jagNfN7jlq22jWhRgjx36kggGyMIIBrqADAgEXooIBpQSCAaENAXuNi/bVhghzIIWTYrRObL/hWcbX1pUE5O7MzVptiT0RBeWTrWv/tMtLDMDCnHCGusN3pOQ7t9/2XgYSLfm/ufKl/FrbSGLLdC0NWbJt/1Bm4mCqcjq1eZ5rLtb3zd4KhAIudyGDdeirBgikNOSZjmjEtNVcuEfw/egc8XMlp5va0EdJx2EW4M1fCLtfF3h1pcqKPUKGpiC5CM/0ldgzobuIF6hMafX7getRHsdjiqb65DKAvsgRJEKnZsZNtjJ/XaelOsDqPAOnHnGeindMwcJQVBuqNQpAi0d1+UKCJnLC2tXIruE3KcyvbP0fKqCVsHeX6J27WG8s58HpdrLMl/xwDEHGs5kEMfBpbDjUo7uGSikX4JlxO+rY6SIXk1pdBMlINLq+Fbhj5newJ1ptkwSXsSY79HW6+4R12aE9P3q4ffMt8ehtol6cMzXhW+Bsv/rRXoNEvRtRa/dCUE0lukJ+oWTwWO5hHhksJzrRxu9VSE34SP+9rkeZ4x/IwciiUFo8eejit04OzcnplKIDhpaPpSmY7ZAYesD2pwjEKwI=
[Fri Sep 07 06:26:01.352989 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Accept: */*
[Fri Sep 07 06:26:01.352999 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
[Fri Sep 07 06:26:01.353005 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Accept-Encoding: gzip, deflate
[Fri Sep 07 06:26:01.353010 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Accept-Language: en-US,en;q=0.9
[Fri Sep 07 06:26:01.353015 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Cookie: OSTSESSID=f7udqsee20qr32mmg9loh7aci5
[Fri Sep 07 06:26:01.353054 2018] [authz_core:debug] [pid 64957] mod_authz_core.c(809): [client 10.1.11.57:50052] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Sep 07 06:26:01.353062 2018] [authz_core:debug] [pid 64957] mod_authz_core.c(809): [client 10.1.11.57:50052] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Sep 07 06:26:01.353069 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1971): [client 10.1.11.57:50052] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Sep 07 06:26:01.353102 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1722): [client 10.1.11.57:50052] Verifying client data using KRB5 GSS-API with our SPNEGO lib
[Fri Sep 07 06:26:01.353619 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1738): [client 10.1.11.57:50052] Client didn't delegate us their credential

Below are my Apache, Kerberos & SMB configurations.

<VirtualHost osticket.domain.com:80>
#RewriteEngine On
#RedirectMatch ^/view.php$ /tickets.php
#RedirectMatch ^/account.php$ /tickets.php
ServerName osticket.domain.com
ServerAlias osticket
ServerAdmin mjackman@domain.com
DocumentRoot /var/www/osticket/upload
LogLevel trace8
#LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/osticket_error.log
CustomLog ${APACHE_LOG_DIR}/osticket_access.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms DOMAIN.COM
KrbServiceName Any
Krb5Keytab "/etc/krb5.keytab"
KrbSaveCredentials On
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC Off
require valid-user
</Location>
</VirtualHost>

KRB5.CONF

[logging]
        default = FILE:/var/log/kerberos.log
[libdefaults]
        default_realm = DOMAIN.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        DOMAIN.COM = {
                kdc = 10.1.10.15
                master_kdc = 10.1.10.15
                admin_server = 10.1.10.15
                default_domain = DOMAIN.COM
        }
[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM
[login]
        krb4_convert = true
        krb4_get_tickets = false

SMB.CNF

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = DOMAIN
   realm = DOMAIN.COM
   netbios name = osticket
   security = ADS
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   passdb backend = tdbsam
   kerberos method = dedicated keytab
   dedicated keytab file = /etc/krb5.keytab
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   password server = 10.1.10.15
   encrypt passwords = yes
   #machine password timeout = 0 #needed when using only the machine account
Pietro Aretino
  • 1
  • It's been a long time since I did AD integration with apache, but my first thought: If the two different portals live on the same server but are reached on different DNS names, you'll need to create in Active Directory an (additional) SPN for each DNS name that clients will use to access the server for Kerberos SSO to work. – HBruijn Sep 07 '18 at 17:53
  • @HBruijn The DNS should be the same, they are however reached at different directories. E.g. `ticket.domain.com } client portal - this one works` `ticket.domain.com/scp } agent portal - does not work` Wondering if I should switch from using Apache directive to using an htaccess file instead. – Pietro Aretino Sep 07 '18 at 19:17

0 Answers0