Re: Hi
Deepak, Actually if your sites are for internal users only you might as well just protect the entire site with kerberos authentication, using Apache's mod_krb5 When your entire site is protected you don't need any special login code in your application. Just get the user identity from REMOTE_USER variable. If you are on IIS, all you need to do is to click the checkbox that says 'Enable Integrated Windows Authentication' If you have a hybrid site that is accessible to both internal and external users, you have to go with the Ken's suggestion. Good thing about having the entire site proctected is that every browser request will be protected by unique token. This way you will get extra protection against people who try to steal authenitcation cookies Don't worry about the performance, kerberos authentication is ligthningly fast. However, if your traffic goes outside of your corporate network you have to use encrypted channels either through VPN or HTTPS. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: apache virtual hosts and keytabs
On Sep 27, 9:58 am, Nikolay Shopik wrote: > Hi, > > I wounder how correctly generate keytabs for virtual hosts in Apache? > From what I read, most cases suggest create keytab for HTTP/hostname > where is hostname is actual hostname of machine not virtual hostname. > Error logs show these messages: > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code > may provide more information (, ) > > I've tried to generate keytab for virtual hostname only, this is of > course not work. > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Key table entry not found) > if I change hostname to match virtualhost everything start working just > fine. > > So what configuration I need to make virtual hosts to work with Kerberos? You should always use the hostname that is typed in the browser. Browsers always use the hostname from the URL to request the ticket from KDC. If you use your actual server name, which will cause the principal mismatch. And you will get exactly the error you getting. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: gss_acquire_cred() failed
Nicolas, The reason you are getting this message is because the mod_auth_kerb could not find the entry that matches your server name in the keytab, you have to set it using KrbServiceName directive like this: KrbServiceName HTTP/domai...@domain.fr Vlad On Jun 14, 5:04 am, Nicolas Jaunet wrote: > Hi ! > > I installed mod_auth_kerb on my debian server and create a keytab to > authenticate thanks to kerberos on a web site with apache tomcat. > I created a user in my kdc. > To check I did that : > > debian-server# klist -k krb5.keytab > Keytab name: FILE:krb5.keytab > KVNO Principal > > -- > 3 HTTP/domain...@domain.fr > > And the file /etc/apache2/kerberos.conf : > > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate on > KrbVerifyKDC off > KrbMethodK5Passwd off > KrbAuthRealms DOMAIN.FR > Krb5KeyTab /etc/apache2/krb5.keytab > require valid-user > > When I try to connect my web site withhttp://domain.fr > I have a 500 Internal Server Error and the error.log file show me this error > : > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide > more information (No principal in keytab matches desired name) > > Someone can help me ? > Thanks. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
