looks like your spnego is not requesting Kerberos tokens or windows xp client doesn't support Kerberos tokens.
1. you may want to configure win xp client, I guess you are using IE browser, as described in the link below http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur e/html/http-sso-1.asp 2. I have used mod_auth_krb (http://modauthkerb.sourceforge.net/) to configure my apache webserver ( running on linux) successfully for SPNEGO with Kerberos authentication. you may want to add these lines to your conf file <Location /> AuthType Kerberos KrbMethodNegotiate on ------ your rest of the stuff comes here ----- </Location> 3. Use network protocol analyzer tools (ethereal works for me) to see whats going on between KDC, client and server. You may want to run the tool on client as it talks to both KDC and server. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Julien ALLANOS Sent: Thursday, June 02, 2005 6:37 AM To: kerberos@mit.edu Subject: Re: kerberos authentication for apache on windows Selon Jeffrey Altman <[EMAIL PROTECTED]>: > Julien ALLANOS wrote: >> Hello, >> >> I'm new to kerberos, and I want to know if the following configuration is >> possible: >> >> I have an Apache2 web server running on Windows 2003 Server, and I want to >> authenticate users with kerberos before they can access to the web server >> content. The kdc service seems to be up and running on the Windows >> 2003 server. >> >> 1/ how can I check that a client (Windows XP) that has just logged into the >> domain, has been given a TGT? > > If you want a visual indication, you can use: > > * the "klist" tool provided by Microsoft with Windows > > * the "kerbtray" tool provided by Microsoft in the Resource Kit > > * MIT Kerberos for Windows and its Leash Ticket Manager, > >> Now I have to "kerberize" the Apache server. I found mod_auth_krb >> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need >> headers and libs for a Kerberos implementation. >> >> 2/ Can I use Windows implementation to compile it? Or do I have to install >> another Kerberos implementation (such as MIT for Windows 2.6.5) in order to >> build it? > > If you want to build an Apache module that uses the MIT Kerberos APIs, > you can build the module against the SDK that is installed as a part of > MIT Kerberos for Windows. > > Jeffrey Altman Thanks. I have installed kerbtray, and I can see the following tickets for MY.DOMAIN.COM: cifs/srv.my.domain.com krbtgt/MY.DOMAIN.COM (forwarded) krbtgt/MY.DOMAIN.COM (initial) ldap/srv.my.domain.com/my.domain.com So I suppose the krbtgt are the TGT. But why two tickets? I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5, fbopenssl, openssl and apache2. Then I've created a user in AD, and a corresponding keytab for HTTP/[EMAIL PROTECTED] I'm using the following configuration for Apache: <Location /> AuthType SPNEGO Krb5KeyTabFile conf/rp.HTTP.keytab Krb5ServiceName HTTP Require valid-user </Location> Here is a summary of an access to the web server: C -> GET / -> S C <- 401, WWW-Authenticate: Negotiate <- S C -> GET /, Authorization: Negotiate xxxxx -> S C <- 401 <- S Here are the last 3 lines of error.log: [Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego: entering authenticateUser [Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego: Authorization value is "Negotiate xxxxxx" [Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego: received type 1 NTLM token So what's wrong please? I really need to make Kerberos works, not NTLM. Thanks for any help. -- Julien ALLANOS ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
