headers
Enrico Scholz | 7 Apr 2007 17:24
Picon

[SOLVED] 'Request is a replay' + Basic auth

Hello,

I had a longstanding problem that mod_auth_kerb failed with

| Request is a replay

when doing Basic Auth and making lot of requests (e.g. SVN, webpages
with much images).

The problem was the setting of

| [defaults]
|    kdc_timesync         = 1

in /etc/krb5.conf. Turning it off seems to make things work fine.

Explanation: The option above is used to correct timestamps of tickets.
Unfortunately, MIT KRB5 (1.4 - 1.6) uses a precision of one second for
this calibration[1] while the system time (which is e.g. used for creating
tickets) uses a precision of microseconds.

Now, the following happens:

1. Client verifies KDC

2. Client receives an authtime reply from the KDC

   Time in reply  might be 1175958621 seconds
   Time at client might be 1175958621 seconds and 900000 microseconds
(Continue reading)

Permalink | Reply | 1 comment |
headers
Henry B. Hotz | 9 Apr 2007 19:35
Picon
Picon
Favicon

Re: [SOLVED] 'Request is a replay' + Basic auth

I always had a suspicion that it was a time resolution issue, but I  
wasn't seeing the error myself.  Nice piece of detective work!  We  
all thank you.

On Apr 7, 2007, at 8:24 AM, Enrico Scholz wrote:

> Hello,
>
> I had a longstanding problem that mod_auth_kerb failed with
>
> | Request is a replay
>
> when doing Basic Auth and making lot of requests (e.g. SVN, webpages
> with much images).
>
> The problem was the setting of
>
> | [defaults]
> |    kdc_timesync         = 1
>
> in /etc/krb5.conf. Turning it off seems to make things work fine.
>
>
> Explanation: The option above is used to correct timestamps of  
> tickets.
> Unfortunately, MIT KRB5 (1.4 - 1.6) uses a precision of one second for
> this calibration[1] while the system time (which is e.g. used for  
> creating
> tickets) uses a precision of microseconds.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mark Yalenti | 10 Apr 2007 19:26
Picon
Favicon

How do you handle a kdc that has gone offline...

Hi Gents,
Suppose the following.  Mod_auth_kerb is installed and working like a champ.  I use it to secure a single file that has a redirector in it. (Because based on whether or not you authenticate i will take some action) Anyhow.

Lets say that my domain only has one DC (crappy domain i know but its just a story right now).
Now lets say someone tries to access that secured page while the DC or KDC is not available.

The result is an internal IE error page.  I would much rather redirect the browser to some other page that does not require authentication.

How do i get apache to realize that the KDC is unavailable and make it redirect the web page, or post and ErrorDocument before IE takes over a puts up an internal error page, namely "The page cannot be displayed".

Thanks!

Mark

<<...>>

Attachment (Yalenti, Mark.vcf): text/x-vcard, 376 bytes
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Permalink | Reply | 1 comment |
headers
Henry B. Hotz | 10 Apr 2007 20:07
Picon
Picon
Favicon

Re: How do you handle a kdc that has gone offline...

I'm not exactly answering your question, but here's some things to  
consider:

If you're doing http-negotiate, then the web server never talks to  
the KDC (a.k.a. Domain Controller) and it won't know to do anything  
different.  If you're falling back to basic-auth with a Kerberos  
password, then mod_auth_kerb will get a distinctive error back from  
the libraries and could, theoretically, do something special.

For normal http-negotiate the web browser is supposed to get the  
ticket itself from the KDC so it can send the authentication  
response.  That's why you get an internal IE error instead of a web  
server error.  (I assume you don't plan to fix every browser out there.)

In theory the web server could check the KDC before sending the  
initial auth-required message.  I think this would be more of an  
Apache question than a mod_auth_kerb question though.

On Apr 10, 2007, at 10:26 AM, Mark Yalenti wrote:

> Hi Gents,
> Suppose the following.  Mod_auth_kerb is installed and working like  
> a champ.  I use it to secure a single file that has a redirector in  
> it. (Because based on whether or not you authenticate i will take  
> some action) Anyhow.
>
> Lets say that my domain only has one DC (crappy domain i know but  
> its just a story right now).
> Now lets say someone tries to access that secured page while the DC  
> or KDC is not available.
>
> The result is an internal IE error page.  I would much rather  
> redirect the browser to some other page that does not require  
> authentication.
>
> How do i get apache to realize that the KDC is unavailable and make  
> it redirect the web page, or post and ErrorDocument before IE takes  
> over a puts up an internal error page, namely "The page cannot be  
> displayed".
>
> Thanks!
>
> Mark
>
> <<...>>
> <Yalenti, Mark.vcf>
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Permalink | Reply | 0 comments |

Gmane