Re: kerberos authentication for apache on windows

Thu, 02 Jun 2005 07:43:41 -0700 

Selon Jeffrey Altman <[EMAIL PROTECTED]>:


Julien ALLANOS wrote:

Hello,

I'm new to kerberos, and I want to know if the following configuration is
possible:

I have an Apache2 web server running on Windows 2003 Server, and I want to
authenticate users with kerberos before they can access to the web server
content. The kdc service seems to be up and running on the Windows 2003 server. 

1/ how can I check that a client (Windows XP) that has just logged into the
domain, has been given a TGT?


If you want a visual indication, you can use:

* the "klist" tool provided by Microsoft with Windows

* the "kerbtray" tool provided by Microsoft in the Resource Kit

* MIT Kerberos for Windows and its Leash Ticket Manager,


Now I have to "kerberize" the Apache server. I found mod_auth_krb
(http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
headers and libs for a Kerberos implementation.

2/ Can I use Windows implementation to compile it? Or do I have to install
another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
build it?


If you want to build an Apache module that uses the MIT Kerberos APIs,
you can build the module against the SDK that is installed as a part of
MIT Kerberos for Windows.

Jeffrey Altman


Thanks.

I have installed kerbtray, and I can see the following tickets for
MY.DOMAIN.COM:

cifs/srv.my.domain.com
krbtgt/MY.DOMAIN.COM (forwarded)
krbtgt/MY.DOMAIN.COM (initial)
ldap/srv.my.domain.com/my.domain.com

So I suppose the krbtgt are the TGT. But why two tickets?
I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5, fbopenssl, openssl and apache2. Then I've created a user in AD, and a corresponding keytab 
for HTTP/[EMAIL PROTECTED]

I'm using the following configuration for Apache:

<Location />
  AuthType SPNEGO
  Krb5KeyTabFile conf/rp.HTTP.keytab
  Krb5ServiceName HTTP
  Require valid-user
</Location>

Here is a summary of an access to the web server:

C -> GET / -> S
C <- 401, WWW-Authenticate: Negotiate <- S

C -> GET /, Authorization: Negotiate xxxxx -> S
C <- 401 <- S

Here are the last 3 lines of error.log:
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego: entering 
authenticateUser
[Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
Authorization value is "Negotiate xxxxxx"
[Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego: received 
type 1 NTLM token

So what's wrong please? I really need to make Kerberos works, not NTLM.

Thanks for any help.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to