headers
Obrist, Jonas | 24 Nov 2010 16:03
Picon
Favicon

gss_accept_sec_context() failed: Invalid token was supplied (No error)

Hello everyone

I try to set up a website which uses kerberos SSO. Please note that
I'm very new to SSO/Kerberos.

I have following environment:

A Kerberos server on a windows machine.
A Ubuntu server with apache+mod_auth_kerb
Windows XP workspace with IE7.

The Problem:

When I try to go the the site I get a 401 and following in the log:
[Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1579): [client
x.x.x.195] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1579): [client
x.x.x.195] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1261): [client
x.x.x.195] Acquiring creds for HTTP/ims.xxx.com <at> xxx.NET
[Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1407): [client
x.x.x.195] Verifying client data using KRB5 GSS-API
[Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1423): [client
x.x.x.195] Verification returned code 589824
[Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1450): [client
x.x.x.195] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.
[Wed Nov 24 15:47:57 2010] [error] [client x.x.x.195]
(Continue reading)

Permalink | Reply | 1 comment |
headers
Henry B. Hotz | 24 Nov 2010 20:36
Picon
Picon
Favicon

Re: gss_accept_sec_context() failed: Invalid token was supplied (No error)


On Nov 24, 2010, at 7:03 AM, Obrist, Jonas wrote:

> [Wed Nov 24 15:47:57 2010] [debug] src/mod_auth_kerb.c(1450): [client
> x.x.x.195] Warning: received token seems to be NTLM, which isn't
> supported by the Kerberos module. Check your IE configuration.

That's the problem.  

Try it with Firefox to make sure the server side is OK.  (Make sure you do something with the
network.negotiate-auth.trusted-uris setting to enable it in FF.)

Then go find the right setting to fix in IE.  (At least that's the order I'd proceed in.)
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
Permalink | Reply | 0 comments |
headers
Troels Arvin | 25 Nov 2010 12:14
Picon
Gravatar

Status of mod_map_user?

Hello,

The mod_map_user module has been mentioned as a way to deal with 
capitalization (usernames being normalized to lower/upper case) and real-
stripping.

I can see that there is code for mod_map_user at http://
modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/

But what's the status of the module? Has anyone tried it - what were the 
experiences? Has it been proposed for inclusion into Apache httpd?

--

-- 
Regards,
Troels Arvin <troels <at> arvin.dk>
http://troels.arvin.dk/

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
Permalink | Reply | 1 comment |
headers
Daniel Kouril | 25 Nov 2010 12:18
Picon

Re: Status of mod_map_user?

On Thu, Nov 25, 2010 at 11:14:07AM +0000, Troels Arvin wrote:
> Hello,
> 
> The mod_map_user module has been mentioned as a way to deal with 
> capitalization (usernames being normalized to lower/upper case) and real-
> stripping.
> 
> I can see that there is code for mod_map_user at http://
> modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/
> 
> But what's the status of the module? Has anyone tried it - what were the 
> experiences? Has it been proposed for inclusion into Apache httpd?

We use it internallu on some machines, but nothing really production. If
you're interested in its use, you're welome to give it a try. I'd be
happy to assist you if you encoutered any issues,

Daniel

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
Permalink | Reply | 0 comments |

Gmane