Apache kerberos authentication tickets are not visible under klist

when i configured the apache authentication using the kerberos. it is working fine. It is asking the password and logging into the website. and it is creating a log information like this.
/var/log/kerberos/krb5kdc.log

Jul 03 15:30:03 ashokkrishna-Lenovo-B560 krb5kdc[4060](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.224: NEEDED_PREAUTH: ashokkrishna@IGROUP.COM for krbtgt/IGROUP.COM@IGROUP.COM, Additional pre-authentication required
Jul 03 15:30:03 ashokkrishna-Lenovo-B560 krb5kdc[4060](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.224: ISSUE: authtime 1435917603, etypes {rep=18 tkt=18 ses=18}, ashokkrishna@IGROUP.COM for krbtgt/IGROUP.COM@IGROUP.COM

but when i hit

ashokkrishna@ashokkrishna-Lenovo-B560:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)

It is not listing any obtained tickets. why?
everytime when i open the firefox the website is asking the password and username again and again, although my ticket expiration time is long enough.

but when i adding the users using

ashokkrishna@ashokkrishna-Lenovo-B560:~$ kinit ashokkrishna
Password for ashokkrishna@IGROUP.COM: 

ashokkrishna@ashokkrishna-Lenovo-B560:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ashokkrishna@IGROUP.COM

Valid starting       Expires              Service principal
2015-07-03T15:56:33  2015-07-04T01:56:33  krbtgt/IGROUP.COM@IGROUP.COM
    renew until 2015-07-04T15:56:30
2015-07-03T15:56:44  2015-07-04T01:56:33  HTTP/igroup.com@IGROUP.COM
    renew until 2015-07-04T15:56:30

its working fine.

why this is happening.

EDIT:
/etc/apache2/sites-enabled/sites-enabled.
**

<Directory /var/www/html/auth-kerberos>
    AuthType Kerberos
    AuthName "Kerberos Authntication"
    KrbAuthRealms IGROUP.COM
    Krb5Keytab /etc/krb5.keytab
    KrbMethodNegotiate On
    KrbSaveCredentials Off
    KrbVerifyKDC Off
    Require valid-user
</Directory>**

kadmin.local configuration.

kadmin.local: listprincs
HTTP/igroup.com@IGROUP.COM
K/M@IGROUP.COM
ashokkrishna/admin@IGROUP.COM
ashokkrishna@IGROUP.COM
host/igroup.com@IGROUP.COM
kadmin/admin@IGROUP.COM
kadmin/changepw@IGROUP.COM
kadmin/igroup.com@IGROUP.COM
krbtgt/IGROUP.COM@IGROUP.COM
root/admin@IGROUP.COM

ashokkrishna is the user(client).And one thing i am having kdc,admin-server,apache-server,client all are under single host(pc). I am testing in single system.

Best Answer

When KrbMethodNegotiate fails because you don't have a valid (in your case any) ticket, Apache fails back to KrbMethodK5Passwd, which is on by default. This is the expected behavior with your configuration.

Side notes

Apache shouldn't be using the system keytab. Configure an application keytab for it.
If you are using the Basic Auth mechanism, the module does not do any special encryption of any sort. The passing of the username and password is done with the same Base64 encoding that Basic Auth uses. This can easily be converted to plain text. To counter this, I would suggest also using mod_ssl or Apache-SSL. The use of SSL encryption is also recommended if you are using the Negotiate method.

Best Answer

Related Solutions

Apache poor performance with Kerberos Authentication

Apache Kerberos Authentication : KDC has no support for encryption type

Related Topic