hi, currently we had a heavy problem with our SSO configuration. u can see in subject which configuration we have. its a apache2 with kerberos modules and the users are in an MS active directory.
everything works rather fine. but some of the users get a login message dialog box few times a day. after the login with their username and password everything works fine. some of them getting the box again after a while and some don't. for the most of all users it works fine. but its not only a special group who had this login box problem. the most of all users had alleady this problem not when a User get the Login Box we found this messages in the Apache logs : [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/ mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1174): [client 192.168.2.115] Acquiring creds for HTTP/[EMAIL PROTECTED] [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1314): [client 192.168.2.115] Verifying client data using KRB5 GSS-API [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1330): [client 192.168.2.115] Verification returned code 589824 [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1357): [client 192.168.2.115] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. [Wed Nov 21 12:11:03 2007] [error] [client 192.168.2.115] gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt) [Wed Nov 21 12:24:11 2007] [debug] src/ mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:24:11 2007] [debug] src/mod_auth_kerb.c(943): [client 192.168.2.115] Using HTTP/[EMAIL PROTECTED] as server principal for password verification [Wed Nov 21 12:24:11 2007] [debug] src/ mod_auth_kerb.c(683): [client 192.168.2.115] Trying to get TGT for user [EMAIL PROTECTED] [Wed Nov 21 12:24:11 2007] [debug] src/ mod_auth_kerb.c(597): [client 192.168.2.115] Trying to verify authenticity of KDC using principal HTTP/ [EMAIL PROTECTED] The reason for that Problem is that the Browser tried to get a NTLM Ticket but we dont know why .... everythings is configured for Kerberos and for the most of all User it works fine. We check allready different Browsers and we have this Problem with IE 6 & 7 and Firefox. I hope someone here had a great Idea what we can do. greetz palm ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
