Michael Ströder wrote: > Andrew Cobaugh wrote: >> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <mich...@stroeder.com> >> wrote: >>> HI! >>> >>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for >>> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to >>> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP >>> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly >>> initialized. >>> >>> The web browser is Seamonkey and it already sends the >>> Authorization: Negotiate YIIE0AYGKwYBBQ[..] >>> in the HTTP request. >>> >>> But it does not work. I don't get authorized HTTP access. >>> In Apache's error_log I find: >>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor >>> code may provide more information (, Decrypt integrity check failed) >> Are you sure that the keytab specified by Krb5Keytab is consistent >> with the HTTP service principal that is in AD? That message is the >> same as saying "your password is wrong." > > Yes, I'm pretty sure. Krb5Keytab points to the file I've extracted with > ktpass.exe and the command-line tool 'strings' extracts the right > Kerberos realm, "HTTP" and fully-qualified domain name of the server. > > How can I gather more debug log messages?
Well, I set LogLevel debug in httpd.conf now and got the following messages in Apache's error_log: ------------------------------ snip ------------------------------ [debug] src/mod_auth_kerb.c(1635): [client 10.1.1.5] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [debug] src/mod_auth_kerb.c(1635): [client 10.1.1.5] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [debug] src/mod_auth_kerb.c(1247): [client 10.1.1.5] Acquiring creds for HTTP/nb2.stroeder.lo...@dom2.adtest.local [debug] src/mod_auth_kerb.c(1392): [client 10.1.1.5] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1408): [client 10.1.1.5] Client didn't delegate us their credential [debug] src/mod_auth_kerb.c(1108): [client 10.1.1.5] GSS-API major_status:000d0000, minor_status:96c73a1f [error] [client 10.1.1.5] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Decrypt integrity check failed) ------------------------------ snip ------------------------------ Hmm... >> Also, if you're going to use mod_auth_kerb to do GSS, you'll need a >> patch so that mod_auth_kerb sets up the GSS environment correclty, so >> that your application will use the correct KRB5CCNAME: >> >> http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch > > Many thanks for this information! I've applied this patch. Ciao, Michael. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos