0

After struggling for a very long time with kerberos authentication on my website, I am finally coming to you because I am lost. I am currently creating a classic PHP website and I want to include a seamless authentication by using kerberos.

So here is the situation :

  1. I have a Windows 2012R2 domain controller with the KDC role.
  2. I have a Linux LAMP server (fqdn = webserver.domain.local).
  3. I have my website which is hosted on the Linux server and which is reachable through HTTPS with this name : site.domain.local

I have set up my kerberos authentication mostly by following these instructions : https://serverfault.com/a/753956/506532 (my SPN is HTTPS/site.domain.local@DOMAIN.LOCAL)
I have also registered site.domain.local as an "intranet website" in IE settings.

When I check if kerberos authentication is working from the webserver with kinit, the authentication is successful, but when I go on site.domain.local from my computer (which is, of course, linked to the domain) it prompts me to authenticate with BASIC. I can successfly login with my credentials but I assume kerberos is not working properly and I do not understand why.

When accessing the website I get this error in the Apaches' logs :

gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

With debug mode enabled, I get these logs :

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Acquiring creds for HTTPS/site.domain.local@DOMAIN.LOCAL

Verifying client data using KRB5 GSS-API

Client didn't delegate us their credential

Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.

GSS-API major_status:00010000, minor_status:00000000

I searched for a solution and everyone with this kind of behavior solved it by putting the website as an "intranet website" in IE but it is already done for me ...

Does anyone have any idea ?

Community
  • 1
B. Clerc
  • 3
  • 1
  • 3

1 Answers1

0

Your SPN is incorrect. It should be HTTP/site.domain.local

  • HTTP and HTTPS are considered the same service class (HTTP).
  • You should not include realm name in SPN (at least for Active Directory, not sure about other Kerberos implementations).
Don Zoomik
  • 1,458
  • 9
  • 12
  • I have just tried (HTTP instead of HTTPS and SPN without the realm) but I get the same errors. – B. Clerc Jan 23 '19 at 13:18
  • On your client, please check if you actually get the ticket for SPN. After trying to connect to website, when you run "klist", you should see a ticket for server "HTTP/site.domain.local". Other things off the top of my head * You're using a browser that doesn't respect Windows zones (Firefox) * Ports other than 80/443 * CNAME, not A record https://support.microsoft.com/en-us/help/938305/ – Don Zoomik Jan 23 '19 at 14:55
  • I do not get the ticket on the client for this SPN (but I have for others services), so the problem is probably on the web server side. Anyhow I always check with IE, Chrome and Firefox (with registry modified to accept kerberos). I use classic 443 port and I have A record not CNAME. – B. Clerc Jan 24 '19 at 09:04
  • Check HTTP headers that server is actually requesting 401 with negotiate. Actual server configuration and a few screenshots from ADUC's attribute editor to show actual servicePrincipalName values might also help. Also you might want to check AD database for duplicate SPNs (uniqueness is not enforced in schema). – Don Zoomik Jan 24 '19 at 10:12
  • Everything is working now, but I have no idea why. I suspect that my several failures come from the sync delay between my DCs. Anyway thanks for the help ! – B. Clerc Jan 24 '19 at 14:19