Hi guys I configured modauthkerb according to the (very good) tutorial http://www.grolmsnet.de/kerbtut
Basic authentication was working from firefox, but failing from IE7. So I cranked up the debuglevel in Apache and noticed some interesting things in the errorlog: [Mon Mar 05 15:17:03 2007] [debug] src/mod_auth_kerb.c(1172): [client 137.99.2.73] Acquiring creds for HTTP/[EMAIL PROTECTED] [Mon Mar 05 15:17:03 2007] [error] [client 137.99.2.73] gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name) [Mon Mar 05 15:17:03 2007] [info] Connection to child 70 closed with unclean shutdown(server people.engr.uconn.edu:443, client 137.99.2.73) [Mo This was odd because our Kerberos realm is AD.ENGR.UCONN.EDU, and the principle I created with ktpass.exe was HTTP/[EMAIL PROTECTED] Why was it changing the REALM to UCONN.EDU? My /etc/krb5.conf was pretty straightforward and in no place defined the realm UCONN.EDU, and my .htaccess file looked like this: AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealms AD.ENGR.UCONN.EDU KrbServiceName HTTP KrbVerifyKDC off KrbMethodNegotiate on KrbSaveCredentials off Krb5Keytab /etc/krb5.keytab require valid-user If I changed the KrbMethodNegotiate to off, then IE7 would let me login by typing my username and password. However, since I was logging on to the Windows domain, I should be able to authenticate with kerberos, so I turned KrbMethodNegotiate back on and was unable to authenticate with IE7 again. Changing my KrbServiceName to HTTP/[EMAIL PROTECTED] did the trick. Now IE will let me authenticate without typing my password (using my TGT?) Things are working the way I want them now. Are there any problems with my configuration? Does anyone know how my realm got confused? Thanks for any help! Rohit ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
