0
I have an Apache server using Kerberos authentication to serve internal apps, using Active Directory as the KDC. This works fine for Windows clients. We have a few Mac clients and none of them can access the apps on Apache. The Macs are on the domain and can access other network resources.
On my R&D Mac, I do a klist in bash and it shows my tickets. The working tickets show up like CIFS/host.domain.com@domain.com. On the other hand, I have HTTP/host@domain.com for the not working ticket. I checked my Windows PC, and it has HTTP/host.domain.com@domain.com.
I know nothing about Mac, so I don’t really know even where to start. Any suggestions?
Single AD domain running Win2012 OS X El Capitan 10.11.6
Thanks
jtaylor___
Posted 2016-08-24T12:42:17.753
Reputation: 101
Do the
HTTP/hostandHTTP/host.domain.comSPNs belong to the same AD account? Do they both exist in Apache's keytab? – user1686 – 2016-08-31T06:20:30.743For some reason, Apache has both (it shouldn't). I assume AD only has the fully-qualified version. So Mac must be doing something different than Windows to pull back the short version from Apache. – jtaylor___ – 2016-08-31T13:12:55.553