All, We are using Apache2 with mod_auth_kerb.
Red Hat Enterprise Linux AS release 3 (2.4.21-40.Elsmp) Apache 2.0.49 (fork) mod_auth_kerb-5.3 MIT Kerberos Version 5, Release 1.5.2 Windows XP sp2 (desktop). 1. User logs on to their desktop. 2. I can see TGT using kerbtray. 3. Everything works fine for 2 days. 4. Right from the 3rd day users starts getting basic auth box when they try to access the site. Apache logs ========= [Mon Apr 09 10:03:25 2007] [info] Initial (No.1) HTTPS request received for child 1 (server lxdm14545.corp.mycompany.com:443) [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1474): [client 10.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1161): [client 10.X.X.X] Acquiring creds for [EMAIL PROTECTED] [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1305): [client 10.X.X.X] Verifying client data using KRB5 GSS-API [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1321): [client 10.X.X.X] Verification returned code 589824 [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1348): [client 10.X.X.X] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. [Mon Apr 09 10:03:25 2007] [error] [client 10.X.X.X] gss_accept_sec_context() failed: Invalid token was supplied (No error) [Mon Apr 09 10:03:25 2007] [info] Connection to child 1 closed with unclean shutdown(server lxdm14545.corp.mycompany.com:443, client 10.X.X.X) On the kerbtray I can see a valid ticket (non-expired). If the user locks the desktop(ctrl-alt-del) and unlocks it its starts working fine again. I used ethereal to see what's happening. On successful auth: IE is sending Authorization : Negotiate On failure auth:IE is sending Authorization : NTLMSSP (without even try using GSSAPI) Does anyone know what triggers Windows XP to stop doing kerb auth (GSSAPI) and switch to NTLM. Its weird that its working fine for couple of days and starts mis-behaving this way. Once in a while I see this error on Desktop's event viewer. There is no pattern in the time interval between the errors. The Security System could not establish a secured connection with the server ldap/sfo1dc1.corp.mycompany.com/[EMAIL PROTECTED] No authentication protocol was available. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I verified that we have reverse DNS look up setup properly. This seems to be a more of an issue on the XP side. Any help on this regard will be appreciated Thanks --Sriram ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
