yes,checksum problem, I do think there is a compatiblity problem in IE6. hope this link would help: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
----- Original Message ----- From: "Sung Ho Jee" <[EMAIL PROTECTED]> To: "Fred Dennis" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Friday, November 11, 2005 10:08 AM Subject: Re: Seamless/transparent SSO with Apache, Win2003, IE > Did you have the 'Use DES encryption types for this account' option ticked > for the HTTP service account when generating its keytab file? > > Regards, > > Sung-ho Jee > > > > > > Fred Dennis <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 11/11/2005 12:41 AM > > > To: [email protected] > cc: > Subject: Seamless/transparent SSO with Apache, Win2003, IE > > > I'm trying to create a seamless sign on to a web site > using Solaris (Kerberos installed), Apache > (mod_auth_kerb installed), MS Active directory, and IE > client. > > I can authenticate using and AD user/pass to a website > if the IE option "Enable Integrated Authentication" is > *UN*checked. When going to the url I get a login > prompt and enter the account information, then am > allowed access to the web site. > > However, when the option is CHECKED, I am passed > directly to the web site (which is what I want), BUT > get the apache log errors below and a "Page cannot be > displayed" error. > > Looking at the packets going to/from web server I can > see some sort of negotiation going on, but also see a > "checksum incorrect" message. The ethereal output is > below. > > I would greatly appreciate assistance with this. I've > been trying to find a solution for the past week to no > avail. > > Thanks! > > ============ APACHE ERROR LOG =============== > [Thu Nov 10 08:34:37 2005] [debug] > src/mod_auth_kerb.c(1322): [client 10.76.105.97] > kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Thu Nov 10 08:34:37 2005] [debug] > src/mod_auth_kerb.c(1023): [client 10.76.105.97] > Acquiring creds for > HTTP/[EMAIL PROTECTED] > > ================ PACKET CAPTURE =============== > Frame 7 (2051 bytes on wire, 2051 bytes captured) > Ethernet II, Src: Intel_40:15:ec (00:d0:b7:40:15:ec), > Dst: All-HSRP-routers_01 (00:00:0c:07:ac:01) > Internet Protocol, Src: 10.76.105.97 (10.76.105.97), > Dst: 10.76.65.113 (10.76.65.113) > Transmission Control Protocol, Src Port: 3188 (3188), > Dst Port: http (80), Seq: 315, Ack: 853, Len: 1997 > Source port: 3188 (3188) > Destination port: http (80) > Sequence number: 315 (relative sequence number) > Next sequence number: 2312 (relative sequence > number) > Acknowledgement number: 853 (relative ack > number) > Header length: 20 bytes > Flags: 0x0018 (PSH, ACK) > Window size: 64683 > > ***************************************************** > ***************************************************** > * CHECKSUM ERROR -- comments added by me > ***************************************************** > ***************************************************** > > Checksum: 0xbf70 [incorrect, should be 0x2f4c] > SEQ/ACK analysis > Hypertext Transfer Protocol > GET /cgi-bin/1/printenv HTTP/1.1\r\n > Request Method: GET > Request URI: /cgi-bin/1/printenv > Request Version: HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, > image/pjpeg, */*\r\n > Accept-Language: en-us\r\n > UA-CPU: x86\r\n > Accept-Encoding: gzip, deflate\r\n > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.2; SV1; .NET CLR 1.1.4322)\r\n > Host: curly.corp.inthosts.net\r\n > Connection: Keep-Alive\r\n > Authorization: Negotiate > YIIE1QYGKwYBBQUCoIIEyTCCBMWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJsEggSXYIIEkwYJKoZIhvcSAQICAQBuggSCMIIEfqADAgEFoQMCAQ6iBwMFACAAAACjggOmYYIDojCCA56gAwIBBaESGxBNQVguSU5USE9TVFMuTkVUoiowKKADAgECoSEwHx > GSS-API Generic Security Service Application > Program Interface > OID: 1.3.6.1.5.5.2 (SPNEGO - Simple > Protected Negotiation) > SPNEGO > negTokenInit > mechTypes: 3 items > Item: 1.2.840.48018.1.2.2 (MS > KRB5 - Microsoft Kerberos 5) > Item: 1.2.840.113554.1.2.2 > (KRB5 - Kerberos 5) > Item: 1.3.6.1.4.1.311.2.2.10 > (NTLMSSP - Microsoft NTLM Security Support Provider) > mechToken: > 6082049306092A864886F71201020201006E820482308204... > krb5_blob: > 6082049306092A864886F71201020201006E820482308204... > KRB5 OID: 1.2.840.113554.1.2.2 > (KRB5 - Kerberos 5) > krb5_tok_id: KRB5_AP_REQ > (0x0001) > Kerberos AP-REQ > Pvno: 5 > MSG Type: AP-REQ (14) > Padding: 0 > APOptions: 20000000 > (Mutual required) > .0.. .... .... .... > .... .... .... .... = Use Session Key: Do NOT use the > session key to encrypt the ticket > ..1. .... .... .... > .... .... .... .... = Mutual required: MUTUAL > authentication is REQUIRED > Ticket > Tkt-vno: 5 > Realm: > MAX.INTHOSTS.NET > Server Name (Service > and Instance): HTTP/curly.corp.inthosts.net > Name-type: Service > and Instance (2) > Name: HTTP > Name: > curly.corp.inthosts.net > enc-part rc4-hmac > Encryption type: > rc4-hmac (23) > Kvno: 2 > enc-part: > B03EAB462F73653D61D98C3CA97705CFFD50D177D14021EA... > Authenticator rc4-hmac > Encryption type: > rc4-hmac (23) > Authenticator data: > E3A02A891F9A43AD16797C0D26D395BA356381948B70C925... > \r\n > > > > > __________________________________ > Start your day with Yahoo! - Make it your home page! > http://www.yahoo.com/r/hs > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
