Hello I want to build a web based application where a client sends a request to server 1, on which a php application resides. This application has to send a request to a gateway. The gateway itself then calls the target application on server 3 which again is protected by kerberos:
Client (fTGT) ---> Server 1 (Apache, mod_auth_kerb) ---> Gateway ---> Server 3 (Apache, mod_auth_kerb) Everything should work as a single sign on application. The idea is: The client has a forwardable ticket granting ticket. This ticket is forwarded to server 1. Server 1 takes the ticket and integrates it in a request sent to a Gateway Server. This one (based on perl LWP) uses the ticket to send another request to server 3. So far everything works fine except the ticket transfer from the client to server 1. If httpd.conf on server 1 is setup with KrbMethodK5Passwd on KrbSaveCredentials on server 1 receives a ticket granting ticket that can be sent to the gateway. The disadvantage is that the user has to enter username and password. If on server 1 the KrbMethodK5Passwd is set to off, the authentication on server 1 works too, but server 1 does not save a ticket. The apache error log simply says: [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client 10.3.188.14] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client 10.3.188.14] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1172): [client 10.3.188.14] Acquiring creds for [EMAIL PROTECTED] [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1316): [client 10.3.188.14] Verifying client data using KRB5 GSS-API [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1332): [client 10.3.188.14] Verification returned code 0 [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1485): [client 10.3.188.14] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1172): [client 10.3.188.14] Acquiring creds for [EMAIL PROTECTED] [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1316): [client 10.3.188.14] Verifying client data using KRB5 GSS-API [Sun Feb 04 09:27:17 2007] [debug] src/mod_auth_kerb.c(1332): [client 10.3.188.14] Verification returned code 0 To find out a bit more I changed line 1394 in mod_auth_kerb.c from if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) to if (conf->krb_save_credentials) Then the apache error log says: [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client 10.3.188.14] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client 10.3.188.14] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1172): [client 10.3.188.14] Acquiring creds for [EMAIL PROTECTED] [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1316): [client 10.3.188.14] Verifying client data using KRB5 GSS-API [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1332): [client 10.3.188.14] Verification returned code 0 [Sun Feb 04 08:33:36 2007] [error] [client 10.3.188.14] Cannot store delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (Unknown code ____ 255)) [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1485): [client 10.3.188.14] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1172): [client 10.3.188.14] Acquiring creds for [EMAIL PROTECTED] [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1316): [client 10.3.188.14] Verifying client data using KRB5 GSS-API [Sun Feb 04 08:33:36 2007] [debug] src/mod_auth_kerb.c(1332): [client 10.3.188.14] Verification returned code 0 [Sun Feb 04 08:33:36 2007] [error] [client 10.3.188.14] Cannot store delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (No error)) As it looks like there is a GSS_C_NO_CREDENTIAL flag set to true out of a reason I don't know. I tried to find out where this flag comes from and how it could be set correctly, but I did not succeed. To exclude that it is a Firefox problem I also used a simple perl script based on LWP (same result). In the krb5.conf I tried different defaults, for example: [libdefaults] default_realm = DK.CH forwardable = true proxiable = true I also tried "handmade" TGTs (kinit -f ...) Kerberos version is MIT krb5-1.6 Apache version is 2.2.3 mod_auth_kerb version is 5.3 In order to have a single sign on solution I need a fTGT on server 1. Is that right? Is it possible at all? If yes, what would I have to change? Thanks in advance Donald Kaden Kaden & Partner AG ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos