MoobyFR's blog

Some IT infos
Home

Aller au menu | Aller à la recherche

apache vhost and kerberos authentification

, 10:20 - Lien permanent

Using kerberos (Active Directory or classical Unix kerberos) is easy to deply for transparent authentication of users, with apache: The mod_auth_kreb do most of the job. But using vhost, some problems arise....

first, the module complain against "failed to verify krb5 credentials: Server not found in Kerberos database"

I've tried to use adsiedit on a DC, and add HTTP/vhost.domain.com as another servicePrincipalName for the mapped user which already contain the SPN for the real host.
The next error which raise up is "gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)"
This is normal, your keytab hasn't been updated to contain the new SPN. But It seems that ktpass.exe cannot export two principals in a keytab, nor, using ktutil on linux to get two keytab in ony works, as the kvno is increased. The question is: Does windows really use the servicePrincipalName or does it use userPrincipalName? The doc says that only one mapping can be done, so I think it uses the UPN...

So there is no way to use vhost as easely. You have to use another dummy account, and map HTTP/dummyuser2 to the vhost, and store two keytab on apache...