Apache – Kerberos Keeps Asking for BASIC Authentication

apache-2.4kerberosmod-auth-kerb

After struggling for a very long time with kerberos authentication on my website, I am finally coming to you because I am lost. I am currently creating a classic PHP website and I want to include a seamless authentication by using kerberos.

So here is the situation :

I have a Windows 2012R2 domain controller with the KDC role.
I have a Linux LAMP server (fqdn = webserver.domain.local).
I have my website which is hosted on the Linux server and which is reachable through HTTPS with this name : site.domain.local

I have set up my kerberos authentication mostly by following these instructions : https://serverfault.com/a/753956/506532 (my SPN is HTTPS/site.domain.local@DOMAIN.LOCAL)
I have also registered site.domain.local as an "intranet website" in IE settings.

When I check if kerberos authentication is working from the webserver with kinit, the authentication is successful, but when I go on site.domain.local from my computer (which is, of course, linked to the domain) it prompts me to authenticate with BASIC. I can successfly login with my credentials but I assume kerberos is not working properly and I do not understand why.

When accessing the website I get this error in the Apaches' logs :

gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

With debug mode enabled, I get these logs :

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

Acquiring creds for HTTPS/site.domain.local@DOMAIN.LOCAL

Verifying client data using KRB5 GSS-API

Client didn't delegate us their credential

Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.

GSS-API major_status:00010000, minor_status:00000000

I searched for a solution and everyone with this kind of behavior solved it by putting the website as an "intranet website" in IE but it is already done for me …

Does anyone have any idea ?

Best Answer

Your SPN is incorrect. It should be HTTP/site.domain.local

HTTP and HTTPS are considered the same service class (HTTP).
You should not include realm name in SPN (at least for Active Directory, not sure about other Kerberos implementations).

Related Solutions

Single Sign On for intranet with Apache and Linux MIT Kerberos

I found it!

I followed the instructions on https://help.ubuntu.com/community/SingleSignOn (See: "Application Installation") to configure the Apache webserver.

Here is my httpd.conf [IMAGE]:

ServerName www.eindwerk.lan

< Directory /var/www/ > Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

  AuthType Kerberos
KrbMethodNegotiate on

KrbMethodK5Passwd on
  AuthName "Kerberos Login"
  KrbAuthRealm EINDWERK.LAN
  Krb5Keytab /etc/apache2/auth/apache2.keytab
  require valid-user
< /Directory >

Then, I configured Mozilla Firefox to trust my internal site (www.eindwerk.lan) [IMAGE]:

network.negotiate-auth.delegation-uris : eindwerk.lan

network.negotiate-auth.trusted-uris: eindwerk.lan
Do a kinit in a terminal. [IMAGE]
Browse to the internal site: You are now automatically logged in!

How does this work?
- Mozilla Firefox does a regular HTTP/GET request.
- Apache replies with HTTP/401 Authorization Required.
- Mozilla Firefox replies with the Kerberos token we just got with kinit. [IMAGE OF WIRESHARK CAPTURE]
- Kerberos authentication occurs, and Apache replies with HTTP/200 OK.
Do a klist in a terminal. You should see the ticket for the webserver! [IMAGE]
Do a kdestroy in a terminal. [IMAGE]
Hard refresh (CTRL+F5) the internal site. You are now presented with a login prompt! [IMAGE]

Need help in setting up SPN for Kerberos Authentication

Since you are running the application pool as TEST\user-iis, you must apply the SPN to that account. It is generally accepted that you should also include another SPN for the short name of the host as well.

setspn -a http/test-iis.test.net TEST\user-iis
setspn -a http/test-iis TEST\user-iis

And just for clarification, all setspn is doing with these commands is modifying the "servicePrincipalName" attribute of that user account. If you open the Properties dialog for it and go to the Attributes tab, you can scroll down to servicePrincipalName, open it up, and see the changes you made.

Regarding your ping issue, check the Windows firewall on the IIS box. ICMP is not enabled by default.

Best Answer

Related Solutions

Single Sign On for intranet with Apache and Linux MIT Kerberos

Need help in setting up SPN for Kerberos Authentication

Related Topic