Configure Kerberos SSO on Moodle: KRB5KDC_ERR_PREAUTH_REQUIRED

2
votes

I'm trying to set up kerberos SSO in Moodle but I'm getting a error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25):

1) I've configured kerberos on Apache: installed kerberos, configured via /etc/krb5.cnf, and tested via kinit command getting right kerberos tickets. WORKS

2) I've created a virtual host in Apache with a folder with kerberos authentication for testing: create a keytab file, tested authentication through kerberos works in the testing virtual site. I get the LDAP REMOTE_USER info and passes the authentication, also kerberos traffic is generated (fetched kerberos traffic with wireshark). WORKS

3) Configured virtual host to use kerberos to authenticate to moodle: as shown in moodle documentation.

Moodle Kerberos SSO documentation

4) Configured moodle's LDAP auth plugin: login with an LDAP user works fine. WORKS

5) Configured NTLM options in moodle's ldap plugin: I've tested and it does generate kerberos authentication network traffic (fetched kerberos with wireshark). But I'm getting a KRB5KDC_ERR_PREAUTH_REQUIRED (25).

Moodle LDAP configuration (NTLM section):

Enable = yes
Subnetwork = 192.168.0.0/16
Authentication type = kerberos
Username format = (none)

moodle ldap config ntlm section

My virtual host configuration for both sites (test folder and moodle folder) is:

<VirtualHost *:80>
        # General
        ServerAdmin [email protected]
        DocumentRoot /home/moodle/moodle
        ServerName mymoodle.es  
        LogLevel debug
        ErrorLog logs/testing-error.log
        CustomLog logs/testing.log combined

        <Location /krb_testing>
          ## Redes para las que se ofrece SSO
          AuthType Kerberos
          AuthName "Kerberos Login"

          KrbMethodNegotiate On
          KrbMethodK5Passwd Off
          KrbServiceName HTTP/[email protected]
          KrbAuthRealms MYREALM.DOMAIN.ES  
          Krb5KeyTab      /etc/krb5.keytab

          ## Sin require valid-user no se produce la negociacion
          require valid-user
        </Location>

        <Directory /home/moodle/moodle/auth/ldap/>
        <Files ntlmsso_magic.php>
            AuthName "Moodle"
            AuthType Kerberos
            KrbAuthRealms MYREALM.DOMAIN.ES
            KrbServiceName HTTP/[email protected]
            Krb5KeyTab      /etc/krb5.keytab
            KrbMethodNegotiate on
            KrbMethodK5Passwd on
            KrbAuthoritative on
            require valid-user
        </Files>
        </Directory>           
</VirtualHost>

Apache version: Apache/2.2.15 (CentOS)

Moodle version: 2.4.7

1
apacheauthenticationsingle-sign-onkerberosmoodle
What do you want? LDAP bind, NTLM or Kerberos?Michael-O
The change your entire question to the revelant Kerberos portion.Michael-O
Changed ntlm terms for kerberos, though config in moodle is made under LDAP's NTLM sectionPacket Tracer
NTLM SSO has nothing to do with Kerberos SSO. You should inquire with Moodle to clarify that. So Moodle is broken.Michael-O
This means that the client has to provide his password to kinit.Michael-O

1 Answers

0
votes

Today i`ve the similar situation when i was configure SSO (Kerberos). I solved the issue when i set - KrbServiceName HTTP

you should replace KrbServiceName HTTP/[email protected] by KrbServiceName HTTP and then SSO will be work correct.