Keep Server Online|
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Apache Lounge is not sponsored.
Your donations will help to keep this site alive and well, and continuing building binaries.
Joined: 18 Sep 2017
Location: India, Bangalore
|Posted: Mon 18 Sep '17 16:54 Post subject: 'mod_auth_kerb' authentication issue with Kerberos
Please check below is the configuration for our application(MediaWiki 1.25.3) with Apache/2.2.15(Unix) envs.
a) Meidawiki application configured with SSO verifying authentication with Kerberos server.
b) MediaWIKI has setup for SSL/TLS to ensure a secure connection.
c) Below are 5 types of Cryptos(encryption types) earlier used in the keytab file to establish a successful Kerberos authentication using a single SPN.
d) Following is Kerberos configuration in 'httpd.conf'
AuthName "Kerberos Login"
ErrorDocument 401 /cgi-bin/r.cgi
e) Kerberos 5 version 1.10.3
f) Apache/2.2.15(Unix), PHP 5.3.3 (apache2handler) & MySQL 5.1.73
As per corporate policy, now weak Cryptos are no longer supported and it's denied. We generated the new Keytab(binary file) using following Strong Crypto types in KDC server.
Now, we are having issue/problem with authentication. The kerberos authentication could not be resumed and throws following error in Apache error log.
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )
Following ERROR was tracked in browser while executing WIKI url in Mozilla.
This site cant be reached
The webpage at https://wikitest.com/wiki/ might be temporarily down or it may have moved permanently to a new web address.
=========== WORKAROUND done in following couple of configuration files after initialization of the new keytab (binary file)=============
The new keytab with Cyrpto type(aes256-cts-hmac-sha1-96) has been initialized and meanwhile we got the TGT from KDC server which lists the latest KVNO and couple of SPNs used.
1. Changed Configuration for 'ssl.conf'
SSLProtocol All -SSLv2 -SSLv3
2. Changed Configuration for 'Krb5.conf'
Below are the workaround
Added below Configuration in 'etc/' for supporting crypto aes256-cts-hmac-sha1-96/aes128-cts-hmac-sha1-96 [kerberos clientconfig]
default_keytab_name = FILE:/etc/httpd/conf/st-vwikidev.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
After all of above configuration change in the RHL server still we could not able to resume kerberos authentication in our server.
Please let us know if Apache/2.2.15 supports for Strong Crypto type: aes256-cts-hmac-sha1-96 to be validated through mod_auth_kerb module? Or do we require to updagrade Apache 2.4 version to support for this Strong crypto? please help/suggest in regards it's highly appreciated.
Thanks in Adv.