TL;DR
First: my server name is xy.
Second: the domain I logon to is EXAMPLE.COM
Third: this is my apache configuration
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbServiceName HTTP
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
KrbSaveCredentials On
KrbVerifyKDC Off
KrbLocalUserMapping on
# This has to wait until we get the keytab file
Krb5Keytab /etc/apache2/satypo3.keytab
require valid-user
</Location>
Fourth: The way I generate the keytab file is like this:
ktpass
-princ HTTP/chzugsvint001@INFRONT.LOCAL
-mapuser kerdummy@EXAMPLE.COM
-crypto AES256-SHA1
-ptype KRB5_NT_PRINCIPAL
-pass *PASS*
-out C:\temp\satypo3.keytab
Fifth: My /etc/hosts file contains
127.0.1.1 xy
Sixth: The error I get when accessing the frontend is the following:
[auth_kerb:error] [pid 4809] [client 192.168.3.170:56962] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Request ticket server HTTP/xy.example.com@EXAMPLE.COM not found in keytab (ticket kvno 6))
So what I don't get is, although I have in no ways specified anything about xy.example.com, Kerberos tries to authenticate the server as this and fails.
Any Ideas?
Long version:
I've set up a Apache Kerberos SSO setup as it has been done many times from many of my peers in DevOps over the years and now I'm at this point too.
I've followed quite a bunch of great walkthroughs like this one and everything seems to work fine until the moment the user tries to log in when the user gets stuck on an infinite loop of login popups. I tried solving the issue like it is described here just to find out that everything is already set up accurately.
So you are my last hope, please help me Serverfault.
Regards
Tizian
EDIT The major code is 000d0000 and the minor code of the error is 96c73a23
Best Answer
So I finally figured out what seemed to be the problem.
As it seems, the options cannot be activated or disabled by On or Off but with on or off.