Hi, we're using kerberos to authenticate our users accessing websites hosted on apache 2.2 webservers using mod_auth_kerb. Currently we're trying to update our kerberos-stack on SuSE linux from heimdal 0.7.2 to MIT 1.6.3 (this version comes with SuSE Linux Enterprise Server 11).
Currently we're running mulitple websites configured as virtual hosts in apache. All virtual hosts could be served using one single keytab file representing one single account in our active directory (win 2003) with one ServicePrincipalName for each virtual host. The keytab file contains only one entry for "HTTP/hostname.enbw....@enbw.net". This worked fine, using the heimdal kerberos implementation, even if the browser (i.e. InternetExplorer 7) accesses a virtual host http://virtualhost.enbw.net/ and sends a ticket for the service HTTP/virtualhost.enbw.net. Using the MIT implementation, accessing the virtualhost using firefox still works, because firefox does a reverse and forward dns-look and sends a kerberos ticket for HTTP/hostname.enbw.net, which is found in the keytab file. With InternetExplorer mod_auth_kerb declines the access to http://virtualhost.enbw.net, because it sends (actually the same) kerberos ticket (but) for HTTP/virtualhost.enbw.net, which is not found in the keytab file. Apache shows the following error: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found) At the moment I've no really good ides how to solve this - the first idea was to create a separate account and keytab for each virtualhost, but the different behaviour of firefox and IE seem to make that impossible, because one ServicePrincipalName would have to be added to multiple accounts, but must be unique in active directory at the same time. Can anyone provide me some help or idea, how to solve this? Thanks and best regards, Michael Michael Beier Team SIS OIOAW (Web Basis) EnBW Systeme Infrastruktur Support GmbH Durlacher Allee 93 76131 Karlsruhe Tel.: +49 (7 21) 63 - 14545 Fax: +49 (7 21) 63 - 15099 mailto:m.be...@enbw.com EnBW Systeme Infrastruktur Support GmbH Sitz der Gesellschaft: Karlsruhe Handelsregister: Amtsgericht Mannheim ‑ HRB 108550 Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck Geschäftsführer: Jochen Adenau, Hans-Günther Meier ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
