# Apache22 with Kerberos and LDAP Auth



## fuhdan (Aug 27, 2011)

Hi all
I installed an Apache Webserver. Now I would like to add SSO for the website.

Config:
/usr/local/etc/apache22/httpd.conf

```
<Directory "/usr/local/www/apache22/data">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all

    AuthType Kerberos
    KrbAuthRealms DOMAIN.COM
    KrbServiceName HTTP
    Krb5Keytab /usr/local/etc/apache22/http_webserver.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    require valid-user

</Directory>
```

I created the key tab file as follows:

```
C:>ktpass -princ HTTP/webserver.domain.com@DOMAIN.COM -mapuser DOMAIN\user -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set
 +desonly -pass user -out http_webserver.keytab
Targeting domain controller: dc.domain.com
Successfully mapped HTTP/webserver.domain.com to webserver.
Password succesfully set!
Key created.
Output keytab to http_webserver.keytab:
Keytab version: 0x502
keysize 60 HTTP/webserver.comain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 e
type 0x3 (DES-CBC-MD5) keylength 8 (0x16794fd3e6f49292)
Account webserver has been set for DES-only encryption.
```

The /usr/local/etc/apache22/http_webserver.keytab has the permission 444 and is owned by root. After everything is working I change the ownership to www.

If I run *kinit loginuser* and type the password I can see with *klist*:

```
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: loginuser@DOMAIN.COM

  Issued           Expires          Principal
Aug 27 14:50:58  Aug 28 00:50:57  krbtgt/DOMAIN.COM@DOMAIN.COM
```

But when I want to login via the website I get the following logs:

```
[Sat Aug 27 14:47:49 2011] [debug] src/mod_auth_kerb.c(1628): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
 auth_type Kerberos
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(1628): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
 auth_type Kerberos
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(994): [client xxx.xxx.xxx.xxx] Using HTTP/webserver.domain.com@DOMAIN.COM as server
 principal for password verification
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(698): [client xxx.xxx.xxx.xxx] Trying to get TGT for user loginuser@DOMAIN.COM
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(609): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal
 HTTP/webserver.domain.com@DOMAIN.COM
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(624): [client xxx.xxx.xxx.xxx] krb5_get_credentials() failed when verifying KDC
[Sat Aug 27 14:47:54 2011] [error] [client 192.168.40.240] failed to verify krb5 credentials: KDC has no support for encryption type
[Sat Aug 27 14:47:54 2011] [debug] src/mod_auth_kerb.c(1073): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
 authtype=(NULL)
[Sat Aug 27 14:47:56 2011] [debug] src/mod_auth_kerb.c(1628): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
 auth_type Kerberos
```

Thanks for any help.


----------

