Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested

apache-2.2kerberosmod-auth-kerbsingle-sign-on

I want to use Kerberos and Apache 2 on linux with mod_auth_kerb.

I added .htaccess to my project with following:

#SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/httpd/httpd.keytab
KrbLocalUserMapping On
require valid-user

When I tried to test my single sign on on IE or Firefox I get the following error in apache log:

[Thu Jan 19 21:03:27 2012] [error] [client 10.65.0.1] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

I don't know what is it and what I should do to make it work.

My aim is to get REMOTE_USER to be filled by AD user name. But now I can't do anything because of this error…

Best Answer

In a simple setup, using mod_auth_gssapi and FreeIPA as the krb5 server and to generate keytabs, I found out that adding the following next to the AuthType command addressed the issue.

BrowserMatch Windows gssapi-no-negotiate

Based on the answer from andsens, it seems indeed this is happening on Windows clients that try to use NTLM. GssapiAllowedMech krb5 and GssapiBasicAuthMech krb5 don't give a successful outcome to the negotiation, so the only solution seems to be to disable the negotiation. I cannot guarantee this is accurate, though, but it worked for me.

The corresponding documentation is here

Best Answer

Related Solutions

Nfs – Kerberos pre-authentication failed on nfs mount

Redhat – Mongodb + Kerberos BadValue SASL mechanism GSSAPI is not supported

Related Topic