我正在尝试使用mod_auth_kerb自动将用户登录到我的网站,对着在W2008服务器上运行的AD服务器。用户已登录Windows网络,并访问该网站。
我的虚拟服务器配置为:
<Location />
Order allow,deny
Satisfy Any
AuthType Kerberos
AuthName "Kerberos Login ORN"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName Any
KrbAuthRealms EXAMPLE.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
我从apache成功登录kinit:
kinit -t /etc/HTTP-hesl035.keytab
Password for HTTP-hesl035@EXAMPLE.ES:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP-hesl035@EXAMPLE.ES
Valid starting Expires Service principal
11/07/13 17:55:46 11/08/13 03:55:51 krbtgt/EXAMPLE.ES@EXAMPLE.ES
renew until 11/08/13 03:55:46
或
kinit HTTP-hesl035
Password for HTTP-hesl035@EXAMPLE.ES:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP-hesl035@EXAMPLE.ES
Valid starting Expires Service principal
11/07/13 17:57:26 11/08/13 03:57:26 krbtgt/EXAMPLE.ES@EXAMPLE.ES
renew until 11/08/13 03:57:26
我使用以下设置配置firefox:
network.negotiate-auth.delegation.uris = testing.example.es
network.negotiate-auth.trusted.uris = testing.example.es
当我访问该网站时,我需要获得授权。
浏览器发送的第一个标题是:
GET Host: testing.example.es
服务器的第一个标头响应是:
401 Authorization required
WWW-authenticate: Negotiate
浏览器发送的第二个标题是:
GET Host: testing.example.es
Authentication: Negotiate {TOKEN}
服务器发送的第二个标题是:
401 Athorization required
Apache日志说明如下:
Thu Nov 07 18:06:09 2013] [debug] src/mod_auth_kerb.c(1939): [client 192.168.4.16] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 07 18:06:09 2013] [debug] src/mod_auth_kerb.c(1939): [client 192.168.4.16] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 07 18:06:09 2013] [debug] src/mod_auth_kerb.c(1691): [client 192.168.4.16] Verifying client data using KRB5 GSS-API
[Thu Nov 07 18:06:09 2013] [debug] src/mod_auth_kerb.c(1707): [client 192.168.4.16] Client didn't delegate us their credential
[Thu Nov 07 18:06:09 2013] [debug] src/mod_auth_kerb.c(1735): [client 192.168.4.16] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Thu Nov 07 18:06:09 2013] [debug] src/mod_auth_kerb.c(1138): [client 192.168.4.16] GSS-API major_status:00010000, minor_status:00000000
[Thu Nov 07 18:06:09 2013] [error] [client 192.168.4.16] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
在用户Windows机器上使用krbtray.exe,我看到以下票证:
EXAMPLE.ES
- host/minit-bn-example.es
- krbtgt/EXAMPLE.ES
当我访问apache app时,我得到了krbtgt / EXAMPLE.ES。
似乎客户端正在发送kerberos票证,但不确定。任何人都知道这个问题??
编辑:
如果我在apache conf中将KrbMethodK5Passwd设置为On,则在访问Web应用程序时会弹出一个带有用户/通行证表单的弹出窗口。但我无法使用用户凭据登录。
Apache日志说:
[Thu Nov 07 17:41:34 2013] [debug] src/mod_auth_kerb.c(1939): [client 192.168.4.16] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 07 17:41:34 2013] [error] [client 192.168.4.16] Error parsing server name (Any): Hostname cannot be canonicalized
[Thu Nov 07 17:41:34 2013] [debug] src/mod_auth_kerb.c(1110): [client 192.168.4.16] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
如果我在Windows客户端使用wireshark来获取数据包,我会从AD到Windows客户端收到2个kerberos错误:
KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG
KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
答案 0 :(得分:1)
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN错误是由于AD服务器中带有ktpass.exe的错误生成的映射文件引起的。
使用ktpass.exe生成正确的映射文件,如下所示:
ktpass -princ HTTP/example.es@EXAMPLE.ES -mapuser username\HTTP-hesl035 -crypto ALL -ptype KRB5_NT_PRINCIPAL -mapop set -pass password -out c:\tem
p\krb5.keytab
在AD服务器中为用户分配带有setspn.exe的SPN:
setspn -s HTTP/example.es HTTP-hesl035