Re: Kerberos Authentication via Apache
In comp.protocols.kerberos Russ Allbery [EMAIL PROTECTED] wrote: In comp.infosystems.www.servers.unix, scmoseman [EMAIL PROTECTED] writes: The website authenticates against the Windows domain. But it uses a pop-up box for the login authentication. I'm under the impression that it should use Kerberos tickets and get my domain login info without the need to request it from me. I have seen it before, but I'm at a road block trying to figure out what I need to do. You want SPNEGO authentication. I'm not sure if mod_auth_krb can also do that as well as validate basic auth via Kerberos. mod_auth_kerb can do SPNEGO. Find my tutorial using mod_auth_kerb and Windows 2000 as KDC at http://www.grolmsnet.de/kerbtut/ f'up set to alt.apache.configuration Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Authentication via Apache
Achim Grolms wrote: The website authenticates against the Windows domain. But it uses a pop-up box for the login authentication. I'm under the impression that it should use Kerberos tickets and get my domain login info without the need to request it from me. I have seen it before, but I'm at a road block trying to figure out what I need to do. You want SPNEGO authentication. I'm not sure if mod_auth_krb can also do that as well as validate basic auth via Kerberos. mod_auth_kerb can do SPNEGO. Find my tutorial using mod_auth_kerb and Windows 2000 as KDC at http://www.grolmsnet.de/kerbtut/ Thanks, Achim, you indirectly helped me solved my problem. All your steps are similar to the personal documentation I created, but the link to setting up Kerberos Eventlogs via my workstation solved my problem. My Kerberos tickets were created using the hostname of the server, but the website is accessed via a virtual hostname. It appears Kerberos wants to use the virtual hostname in the Kerberos ticket, so I can solve my problem by re-creating the tickets for this server. Thanks, Scott Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Authentication via Apache
In comp.protocols.kerberos Scott Moseman [EMAIL PROTECTED] wrote: mod_auth_kerb can do SPNEGO. Find my tutorial using mod_auth_kerb and Windows 2000 as KDC at http://www.grolmsnet.de/kerbtut/ Thanks, Achim, you indirectly helped me solved my problem. All your steps are similar to the personal documentation I created, but the link to setting up Kerberos Eventlogs via my workstation solved my problem. My Kerberos tickets were created using the hostname of the server, but the website is accessed via a virtual hostname. It appears Kerberos wants to use the virtual hostname in the Kerberos ticket, so I can solve my problem by re-creating the tickets for this server. Scott, my tutorial is missing a section of how to handle virtual hosts. (Other People have asked me that). Can you send me your personal documentation of virtual host setup so I can add that information to my tutorial? Thank you, Achim Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos Authentication via Apache
Re: RHEL 3, Krb5 1.3.3, Apache 2.0, and mod_auth_kerb. The server has joined the Windows domain, no problems. The Kerberos tickets are setup for Apache, works good. Here's an example of an .htaccess file for a website: AuthType Kerberos AuthName MYDOMAIN KrbMethodNegotiate on KrbAuthoritative on KrbVerifyKDC off KrbAuthRealm MYDOMAIN.COM Krb5Keytab /var/kerberos/krb5kdc/http.keytab Limit GET POST require valid-user /Limit The website authenticates against the Windows domain. But it uses a pop-up box for the login authentication. I'm under the impression that it should use Kerberos tickets and get my domain login info without the need to request it from me. I have seen it before, but I'm at a road block trying to figure out what I need to do. My IE is setup with Integrated Windows Authentication and the website is even in my Local intranet zones. Is there another step that I am missing on the Apache? Thanks, Scott Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Authentication via Apache
MOD_KRB5 or whatever you are using just auth agains krb db without ticket support. Read documentation. Instead of that you could use mod_auth_ntlm, it works in a single-sign-on mode. regards LD On Tue, 11 Jan 2005 [EMAIL PROTECTED] wrote: Re: RHEL 3, Krb5 1.3.3, Apache 2.0, and mod_auth_kerb. The server has joined the Windows domain, no problems. The Kerberos tickets are setup for Apache, works good. Here's an example of an .htaccess file for a website: AuthType Kerberos AuthName MYDOMAIN KrbMethodNegotiate on KrbAuthoritative on KrbVerifyKDC off KrbAuthRealm MYDOMAIN.COM Krb5Keytab /var/kerberos/krb5kdc/http.keytab Limit GET POST require valid-user /Limit The website authenticates against the Windows domain. But it uses a pop-up box for the login authentication. I'm under the impression that it should use Kerberos tickets and get my domain login info without the need to request it from me. I have seen it before, but I'm at a road block trying to figure out what I need to do. My IE is setup with Integrated Windows Authentication and the website is even in my Local intranet zones. Is there another step that I am missing on the Apache? Thanks, Scott Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Authentication via Apache
In comp.infosystems.www.servers.unix, scmoseman [EMAIL PROTECTED] writes: The website authenticates against the Windows domain. But it uses a pop-up box for the login authentication. I'm under the impression that it should use Kerberos tickets and get my domain login info without the need to request it from me. I have seen it before, but I'm at a road block trying to figure out what I need to do. You want SPNEGO authentication. I'm not sure if mod_auth_krb can also do that as well as validate basic auth via Kerberos. The Apache module I'm familiar with to do SPNEGO authentication is mod_auth_gss_krb5, available from: http://modgssapache.sourceforge.net/ -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Authentication via Apache
Luis Daniel Lucio Quiroz wrote: MOD_KRB5 or whatever you are using just auth agains krb db without ticket support. Read documentation. Instead of that you could use mod_auth_ntlm, it works in a single-sign-on mode. mod_auth_krb5 can use BOTH clinet (accept HTTP-Auth BASIC and run like a kinit would) and server modes (act as a server with a keytab). Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos