I am trying to setup Integrated Windows authentication with kerberos using ActiveDirectory in windows server 2008 and everything works well and I am able to get kerberos tickets on successful login. I am facing problem in forwarding this ticket to server where Apache is configured. When forwading ticket KRB5CCNAME is not set in Apache/PHP environment variables.
My kerberos configuration file(krb5.conf) is
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DIVAMI.COM
default_keytab_file = /etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DIVAMI.COM = {
kdc = meluha.divami.com:88
admin_server = meluha.divami.com:749
default_domain = divami.com
}
[domain_realm]
meluha.divami.com = DIVAMI.COM
divami.com = DIVAMI.COM
Apache mod_auth_kerb configuration file(auth_kerb) is
<Location /perfmon>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DIVAMI.COM
Krb5KeyTab /etc/httpd/conf.d/apache.keytab
KrbSaveCredentials On
KrbServiceName HTTP/greenplum.divami.com
require valid-user
ErrorDocument 404 "No favicon"
</Location>
Browser configuration
Firefox
Set network.negotiate-auth.delegation-uris to greenplum.divami.com.
Set network.negotiate-auth.trusted-uris to greenplum.divami.com
IE
In Internet Explorer, select Tools > Internet Options.
In the Local Internet (Advanced) dialog box, enter all relative domain names that will be used on the intranet (e.g. greenplum.divami.com).
When I set KrbMethodK5Passwd On,then browser prompt for kerberos username and password on giving valid credentials ticket is generated and it's cached location is set in Apache/PHP environment variable KRB5CCNAME. Using this variable KRB5CCNAME we can use kerberos ticket that is forwaded as credential for authentication.
I am getting following error message when KrbMethodK5Passwd Off.
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1278): [client 10.81.17.156] Acquiring creds for HTTP/greenplum.divami.com
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1707): [client 10.81.17.156] Client didn't delegate us their credential
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1726): [client 10.81.17.156] GSS-API token of length 180 bytes will be sent back
plum.divami.com/perfmon/login.php
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API , referer:http://greenplum.divami.com/perfmon/login.php
I have no idea whether browser fails in picking kerberos ticket or browser picks the ticket but unable to set cached location in KRB5CCNAME. please help me in solving this issue.
