Re: Problem to have mod_auth_kerb to work

2006-01-17 Thread Smellyfrog
Thanks you all for your help, I eventually managed to make it work. What was wrong in my config: - The keytab had not been generated exactly like it was describe in Achim's guide (http://www.grolmsnet.de/kerbtut/ ). Solution: regenerate the keytab using EXACTLY the settings described by Achim in t

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Achim Grolms
On Thursday 12 January 2006 19:01, Victor Sudakov wrote: > Does mod_auth_kerb really do GSSAPI ? Yes. Please have a look at > I thought it was just an implementation of HTTP basic auth, with Kerberos > instead of the Au

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Victor Sudakov
"Martin v. L?wis" wrote: >> I have read http://modauthkerb.sourceforge.net/configure.html and it >> is not clear to me: how do you turn off Basic and leave only GSSAPI on? > > What's unclear about > > KrbMethodK5Passwd on | off (set to on by default) The term "KrbMethodK5Passwd" was unclear. So

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Smellyfrog
Hi all, Another mistake of mine was that I had set the log level to debug in apache but not for the virtual host. So now that this is done, this is the kind of debug statement I get from apache: [Fri Jan 13 10:40:45 2006] [info] Initial (No.1) HTTPS request received for child 2 (server GTCI2736VM

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Smellyfrog
OK, it's getting sad. I'm replying to my own posts. ;o) What was wrong was the way the Keytab had been generated. I asked our admin to regenerate it but this time following exactly Achim's way. So now I have a ticket for the HTTP service being generated in my XP Client. In apache though I have the

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Victor Sudakov
Smellyfrog wrote: > > I have a linux (Fedore core 4) web server running Apache (2.0) with > mod_auth_kerb and Tomcat. > I want to implement a SSO for my web application. Does mod_auth_kerb really do GSSAPI ? I thought it was just an implementation of HTTP basic auth, with Kerberos instead of th

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Smellyfrog
Hi Achim, Following are the headers of the request and reply to and from the webserver. Request from IE to the webserver: GET /iViewXT/login.do HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-ie Host: gtci2736vm User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.

Re: Problem to have mod_auth_kerb to work

2006-01-16 Thread Victor Sudakov
Markus Moeller wrote: >>> >>> I have a linux (Fedore core 4) web server running Apache (2.0) with >>> mod_auth_kerb and Tomcat. >>> I want to implement a SSO for my web application. >> >> Does mod_auth_kerb really do GSSAPI ? >> >> I thought it was just an implementation of HTTP basic auth, with Ke

Re: Problem to have mod_auth_kerb to work

2006-01-13 Thread Martin v. Löwis
Victor Sudakov wrote: > I have read http://modauthkerb.sourceforge.net/configure.html and it > is not clear to me: how do you turn off Basic and leave only GSSAPI on? What's unclear about KrbMethodK5Passwd on | off (set to on by default) To enable or disable the use of password based authent

Re: Problem to have mod_auth_kerb to work

2006-01-13 Thread Russ Allbery
Smellyfrog <[EMAIL PROTECTED]> writes: > [Fri Jan 13 12:57:16 2006] [debug] src/mod_auth_kerb.c(1023): [client > 172.24.25.100] Acquiring creds for HTTP/[EMAIL PROTECTED] This looks wrong. Normally the instance of the HTTP/* principal must be a fully-qualified hostname. -- Russ Allbery ([EMAIL

Re: Problem to have mod_auth_kerb to work

2006-01-13 Thread Markus Moeller
Check the keytab permissions. If apache runs as webuser and the default keytab has only root read permission you will see this error. Markus "Smellyfrog" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > OK, it's getting sad. I'm replying to my own posts. ;o) What was wrong > was th

Re: Problem to have mod_auth_kerb to work

2006-01-12 Thread Martin v. Löwis
Smellyfrog wrote: > My problem: IE (And Firecfox, but if could at least get IE to work that > would be a start) keeps poping the logon window. For IE, you need the server in the LocalIntranet zone. If it is displayed as "Internet", double-click that icon, and add the server explicitly. This is li

Re: Problem to have mod_auth_kerb to work

2006-01-12 Thread Achim Grolms
On Thursday 12 January 2006 17:06, Smellyfrog wrote: > My problem: IE (And Firecfox, but if could at least get IE to work that > would be a start) keeps poping the logon window. Please 1. send the relevant part from Apache errorlog 2. Do a HEAD request to the location and send the HTTP-Headers

Re: Problem to have mod_auth_kerb to work

2006-01-12 Thread Markus Moeller
mod_auth_kerb can do either GSSAPI and/or Kerberos through Basic (you should protect it with SSL) Markus "Victor Sudakov" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Smellyfrog wrote: >> >> I have a linux (Fedore core 4) web server running Apache (2.0) with >> mod_auth_kerb an

Problem to have mod_auth_kerb to work

2006-01-12 Thread Smellyfrog
Hi, I have a linux (Fedore core 4) web server running Apache (2.0) with mod_auth_kerb and Tomcat. I want to implement a SSO for my web application. I have setup my system according to some documentation I found on the web: http://www.grolmsnet.de/kerbtut/ So I have my account created on the KDC