Hi All,

It's been long time, I am trying to configure the SSO with windows ADS but I failed to configure the setup.
I heard that some of you guys have done the setup on Linux systems.
Could you please provide me your setup detail so that at least can have SSO environment in Linux then I will try to replicate the same to Windows ADS.

Thanks,
Abhijeet Nayak

On Fri, Apr 30, 2010 at 1:22 AM, Collins, Kevin [BEELINE] <KCollins <at> chevron.com> wrote:

Check out this site:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productN
umber=KRB5CLIENT

You want to make sure that in addition to the core Kerberos Client that
you also have this KRB5CLIENT web upgrade.

HMAC is supported...

Kevin

-----Original Message-----
From: Douglas E. Engert [mailto:deengert <at> anl.gov]
Sent: Thursday, April 29, 2010 11:38 AM
To: bapuni nayak
Cc: modauthkerb-help <at> lists.sourceforge.net
Subject: Re: [modauthkerb] Issue with mod_auth_kerb.

bapuni nayak wrote:
> Hi,
>
> Kerberos Client which I am using is provided by HP. As far as I know
HP
> kerberos client does not support HMAC. So I used  DES-CBC-CRC as the
> encryption for the key tab file.

To bad, I would have expected HP to have improved their Kerberos. When
we had HPUX servers running 10, 11, 11i and 1123 we built the MIT
Kerberos
from source.

One other think to try is the ktpass +DesOnly flag. so this get set on
the http-austin and host-austin account AD may try and issue a RC4 key,
and that may be why it is failing. Your AD admin can set this bit on the
accounts.

Also see:
http://technet.microsoft.com/en-us/library/cc753771(WS.10).aspx

But DES is all but dead, so consider an upgraded OS or modern Kerberos
at least.

>
> I have done what ever suggested by you guys but none of them seems to
> work. Also the ADs server is able to authenticate the user when I kept

> the "password" option as on in the httpd.conf file.
>
>
> Thanks
> Abhijeet
>
> On Tue, Apr 27, 2010 at 11:27 PM, Douglas E. Engert <deengert <at> anl.gov
> <mailto:deengert <at> anl.gov>> wrote:
>
>
>
>     bapuni nayak wrote:
>
>         Hi All,
>
>         I have removed the austin user from the ADS server and created
>         another two users *host-austin* (login name:
>         host/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com>) and *http-austin* (login name:
>         HTTP/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com>).
>
>
>         Extracted the key by the below commands:
>
>         ktpass -princ host/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com> -pass mypassword1 -mapuser
host-austin
>         -crypto RC4-HMAC-NT -out c:\temp\austin.host.keytab
>
>         ktpass -princ HTTP/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com> -pass mypassword2 -mapuser
http-austin
>         -crypto RC4-HMAC-NT -out c:\temp\austin.HTTP.keytab
>
>
>         Then copid the host and HTTP keys to the HPUX machine and
placed
>         them at /etc/krb5.keytab and /opt/hpws22/apache respectively.
>         Set the permission of the HTTP keytab to *600* and owner to
>         "*www*". Also configured the httpd.conf file of apache to
point
>         to the HTTP keytab.
>
>         But i got the same "permission denied" issue when I tried to
>         access the secure site.
>
>         To check if the ADS works perfectly with the hpux box,  I set
>         the *password on  *on the httpd.conf file apache, to get a
>         password prompt. So I got the password prompt while trying to
>         access the secure site but it failed with same error message.
>
>         Though the SSO is not working also the normal kerberos
>         authentication is not working in my HPUX box.
>
>
>     OK, It might be the HP does not support RC4-HMAC-NT. Is this HP's
>     Kerberos, or did you build it yourself?  How old is it? In that
case
>     you may have to use DES.
>
>
>
>         Thanks
>         Abhijeet
>
>
>         On Tue, Apr 27, 2010 at 12:46 AM, Henry B. Hotz
>         <hotz <at> jpl.nasa.gov <mailto:hotz <at> jpl.nasa.gov>
>         <mailto:hotz <at> jpl.nasa.gov <mailto:hotz <at> jpl.nasa.gov>>> wrote:
>
>
>            On Apr 26, 2010, at 8:43 AM, bapuni nayak wrote:
>
>             > then copied each keytab files to the unix machine ( did
not
>            merged them). First placed the HTTP key at
/etc/krb5.keytab..
>
>            Generally you will want to put the keytab with
>         host/austin.kerb.com <http://austin.kerb.com>
>            <http://austin.kerb.com> <at> KERB.COM <http://KERB.COM>
>         <http://KERB.COM> at
>
>            /etc/krb5.keytab, and you'll want to put the one with
>            HTTP/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com> <at> KERB.COM <http://KERB.COM>
>            <http://KERB.COM> someplace else.  The "someplace else"
should be
>
>            put in the mod_auth_kerb configuration.
>
>             > # klist -k
>             > Keytab name: FILE:/etc/krb5.keytab
>             > KVNO Principal
>             >
>             > ----
>
>
------------------------------------------------------------------------
--
>             >
>             >    6 HTTP/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com> <at> KERB.COM <http://KERB.COM>
>            <http://KERB.COM>
>
>             >
>             > Then try get a ticket for the serivice principal to
check
>            everything is correct, but i got the following error:
>             >
>             > # kinit -k HTTP/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com>
>
>             > kinit(v5): Client not found in Kerberos database while
getting
>            initial credentials
>
>            kinit -k -t "someplace else" HTTP/austin.kerb.com
>         <http://austin.kerb.com>
>            <http://austin.kerb.com>
>
>
>            or
>
>            kinit -k HTTP/austin.kerb.conf
>
>             > I have check the kvno no and it is correct:
>             >
>             >
>             > # kvno -k /etc/krb5.keytab HTTP/austin.kerb.com
>         <http://austin.kerb.com>
>            <http://austin.kerb.com>
>             > HTTP/austin.kerb.com <http://austin.kerb.com>
>         <http://austin.kerb.com> <at> KERB.COM <http://KERB.COM>
>            <http://KERB.COM>: kvno = 6, keytab entry valid
>
>
>            Good the kvno's match.
>            ------------------------------------------------------
>            The opinions expressed in this message are mine,
>            not those of Caltech, JPL, NASA, or the US Government.
>            Henry.B.Hotz <at> jpl.nasa.gov
<mailto:Henry.B.Hotz <at> jpl.nasa.gov>
>         <mailto:Henry.B.Hotz <at> jpl.nasa.gov
>         <mailto:Henry.B.Hotz <at> jpl.nasa.gov>>, or
>            hbhotz <at> oxy.edu <mailto:hbhotz <at> oxy.edu>
<mailto:hbhotz <at> oxy.edu
>         <mailto:hbhotz <at> oxy.edu>>
>
>
>
>
>
>
>
------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
------
>
>
>
------------------------------------------------------------------------
>
>         _______________________________________________
>         modauthkerb-help mailing list
>         modauthkerb-help <at> lists.sourceforge.net
>         <mailto:modauthkerb-help <at> lists.sourceforge.net>
>         https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
>
>
>     --
>
>      Douglas E. Engert  <DEEngert <at> anl.gov <mailto:DEEngert <at> anl.gov>>
>      Argonne National Laboratory
>      9700 South Cass Avenue
>      Argonne, Illinois  60439
>      (630) 252-5444
>
>
>
>
------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
------
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

--

 Douglas E. Engert  <DEEngert <at> anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

------------------------------------------------------------------------

------
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

This seems to have become a long thread.  Perhaps you could start over and say what the current platform, configuration, and observed problems are?  Also if there are pieces which are known to work that would be helpful to know.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.

Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu