After struggling for a very long time with kerberos authentication on my website, I am finally coming to you because I am lost. I am currently creating a classic PHP website and I want to include a seamless authentication by using kerberos.
So here is the situation :
- I have a Windows 2012R2 domain controller with the KDC role.
- I have a Linux LAMP server (fqdn =
webserver.domain.local
). - I have my website which is hosted on the Linux server and which is reachable through HTTPS with this name :
site.domain.local
I have set up my kerberos authentication mostly by following these instructions : https://serverfault.com/a/753956/506532 (my SPN is HTTPS/site.domain.local@DOMAIN.LOCAL
)
I have also registered site.domain.local
as an "intranet website" in IE settings.
When I check if kerberos authentication is working from the webserver with kinit, the authentication is successful, but when I go on site.domain.local from my computer (which is, of course, linked to the domain) it prompts me to authenticate with BASIC. I can successfly login with my credentials but I assume kerberos is not working properly and I do not understand why.
When accessing the website I get this error in the Apaches' logs :
gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
With debug mode enabled, I get these logs :
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTPS/site.domain.local@DOMAIN.LOCAL
Verifying client data using KRB5 GSS-API
Client didn't delegate us their credential
Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
GSS-API major_status:00010000, minor_status:00000000
I searched for a solution and everyone with this kind of behavior solved it by putting the website as an "intranet website" in IE but it is already done for me …
Does anyone have any idea ?
Best Answer
Your SPN is incorrect. It should be
HTTP/site.domain.local