I have this scenario: a windows 2008 R2 Domain and a linux server (CentOs) with Apache.
I need to configure SSO using kerberos in order to permit our internal client using IE or Chrome to authenticate on a website without asking for a password.
In order to do this i follow this tutorial https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperability.
My Apache conf file for the site is:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms <MYREALM>
KrbServiceName HTTP/OTRS5@<MYREALM>
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbSaveCredentials Off
KrbVerifyKDC Off
Require valid-user
Now when I try to connect to the site I receive a 401 code.
On error.log I found :
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/OTRS5@<MYREALM>
Verifying client data using KRB5 GSS-API
Client didn't delegate us their credential
On journalctl:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I'm totally clueless about it.
Can you help me?
Regards
Francesco
Best Answer
I have found the issue. 1) I have enable the kerberos loggin on the DC https://support.microsoft.com/en-us/kb/262177
2) After check again the login I found this error under the Security Log: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/ (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for HTTP/ in Active Directory. 3) I use this procedure to find the duplicate entry https://support.microsoft.com/en-us/kb/321044
4) I use Active Directory User and Computer to remove the duplicate entry: a) Open ADUAC b) View->Advanced Features c) Open the object with duplicate entry d) Open the Attribute Editor e) select servicePrincipalName and delete the entry f)disable again kerberso logging
Bye Francesco