logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



'mod_auth_kerb' authentication issue with Kerberos

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
sksahu



Joined: 18 Sep 2017
Posts: 1
Location: India, Bangalore

PostPosted: Mon 18 Sep '17 16:54    Post subject: 'mod_auth_kerb' authentication issue with Kerberos Reply with quote

HI,
Please check below is the configuration for our application(MediaWiki 1.25.3) with Apache/2.2.15(Unix) envs.
a) Meidawiki application configured with SSO verifying authentication with Kerberos server.
b) MediaWIKI has setup for SSL/TLS to ensure a secure connection.
c) Below are 5 types of Cryptos(encryption types) earlier used in the keytab file to establish a successful Kerberos authentication using a single SPN.
• (des-cbc-crc)
• (des-cbc-md5)
• (arcfour-hmac)
• (aes256-cts-hmac-sha1-96)
• (aes128-cts-hmac-sha1-96)
d) Following is Kerberos configuration in 'httpd.conf'
<Location "/wiki">
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms realarmname
KrbServiceName HOST/wiki.com@realarmname
Krb5Keytab /etc/httpd/conf/keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping On
KrbVerifyKDC off
Require valid-user
ErrorDocument 401 /cgi-bin/r.cgi
</Location>
e) Kerberos 5 version 1.10.3
f) Apache/2.2.15(Unix), PHP 5.3.3 (apache2handler) & MySQL 5.1.73


As per corporate policy, now weak Cryptos are no longer supported and it's denied. We generated the new Keytab(binary file) using following Strong Crypto types in KDC server.
• (aes256-cts-hmac-sha1-96)
• (aes128-cts-hmac-sha1-96)

Now, we are having issue/problem with authentication. The kerberos authentication could not be resumed and throws following error in Apache error log.
• gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )


Following ERROR was tracked in browser while executing WIKI url in Mozilla.
• This site can’t be reached
• The webpage at https://wikitest.com/wiki/ might be temporarily down or it may have moved permanently to a new web address.
• ERR_ACCESS_DENIED


=========== WORKAROUND done in following couple of configuration files after initialization of the new keytab (binary file)=============
The new keytab with Cyrpto type(aes256-cts-hmac-sha1-96) has been initialized and meanwhile we got the TGT from KDC server which lists the latest KVNO and couple of SPNs used.

1. Changed Configuration for 'ssl.conf'
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on

2. Changed Configuration for 'Krb5.conf'
Below are the workaround
Added below Configuration in 'etc/' for supporting crypto aes256-cts-hmac-sha1-96/aes128-cts-hmac-sha1-96 [kerberos clientconfig]
default_keytab_name = FILE:/etc/httpd/conf/st-vwikidev.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96

After all of above configuration change in the RHL server still we could not able to resume kerberos authentication in our server.

Please let us know if Apache/2.2.15 supports for Strong Crypto type: aes256-cts-hmac-sha1-96 to be validated through mod_auth_kerb module? Or do we require to updagrade Apache 2.4 version to support for this Strong crypto? please help/suggest in regards it's highly appreciated.


Thanks in Adv.
Sanjay
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1