I'm trying to modify a webserver that I work on to do SPNEGO authentication with an Active Directory server. In preparation for that I've set up 2 machines to test the authentication and I thought I'd try and use an existing simple webserver to check that I have them set up correctly before I start modifying my webserver, so I'm trying to test it using the flask-kerberos project: https://flask-kerberos.readthedocs.io/en/latest/
Unfortunately, it seems that there's a problem with the setup and I'm not sure where to look next to solve it. When running the flask webserver I get this error when it tries to do the authGSSServerInit call: /GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('', 100004))/ My setup is I have 3 machines - 1 Windows Server with Active Directory installed and a couple users set up, and a user and SPN set for the webserver. Then a CentOS machine with the webserver on it and a windows 7 machine that's on the AD domain with an authenticated user. When I try and authenticate from the windows 7 machine to the /protected page created by the flask webserver then I get the message above. >From what I can tell my krb5.conf is configured correctly, I can run kinit with a couple different usernames and they seem to work fine. /[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] TEST.LOCAL = { kdc = WIN-KBRA593O67I.Test.local admin_server = WIN-KBRA593O67I.Test.local } [domain_realm] .Test.local = TEST.LOCAL Test.local = TEST.LOCAL/ And I think my keytab file is ok. If I run klist -k I get the following output /[root@TestCentOSGui testFlask]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 HTTP/TestCentOSGui.Test.local@TEST.LOCAL/ And I can do kinit with the service principal with kinit -k, and afterwards klist shows the ticket: /root@TestCentOSGui testFlask]# kinit HTTP/TestCentOSGui.Test.local -k root@TestCentOSGui testFlask]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/TestCentOSGui.Test.local@TEST.LOCAL Valid starting Expires Service principal 06/22/16 15:02:12 06/23/16 01:02:16 krbtgt/TEST.LOCAL@TEST.LOCAL renew until 06/29/16 15:02:12/ I'm hoping that there's something simple that I'm missing, but I'm not really sure where to look or what to try next, so any advice would be welcome. -- View this message in context: http://kerberos.996246.n3.nabble.com/Beginner-Kerberos-question-problem-with-spnego-authentication-with-webserver-tp45585.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos