Sounds like the same problem I postet last week. Unfortunately I have not found a solution for it. If you find any, please let me know, I will do the same.
Just to check: [ ] You have the "Enable Integrated Windows Authentication" chackbox checked and restarted your browser [ ] You have added the site you are contacting to your "local intranet zoone" [ ] In security Settings for intranet zone "Automatic logon only in intranet zone" is selected Regards, Florian -------- Original-Nachricht -------- > Datum: Mon, 26 Nov 2007 03:04:43 -0800 (PST) > Von: palm <[EMAIL PROTECTED]> > An: [email protected] > Betreff: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some > Users > hi, > > currently we had a heavy problem with our SSO configuration. u can see > in subject which configuration we have. its a apache2 with kerberos > modules and the users are in an MS active directory. > > everything works rather fine. but some of the users get a login > message dialog box few times a day. after the login with their > username and password everything works fine. some of them getting the > box again after a while and some don't. > > for the most of all users it works fine. but its not only a special > group who had this login box problem. the most of all users had > alleady this problem not > > when a User get the Login Box we found this messages in the Apache > logs : > > [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1483): [client > 192.168.2.115] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos [Wed Nov 21 12:11:03 2007] [debug] src/ > mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user > entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:11:03 > 2007] [debug] src/mod_auth_kerb.c(1174): [client 192.168.2.115] > Acquiring creds for HTTP/[EMAIL PROTECTED] > > [Wed Nov 21 12:11:03 2007] [debug] src/mod_auth_kerb.c(1314): [client > 192.168.2.115] Verifying client data using KRB5 GSS-API [Wed Nov 21 > 12:11:03 2007] [debug] src/mod_auth_kerb.c(1330): [client > 192.168.2.115] Verification returned code 589824 [Wed Nov 21 12:11:03 > 2007] [debug] src/mod_auth_kerb.c(1357): [client 192.168.2.115] > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos module. Check your IE configuration. > > [Wed Nov 21 12:11:03 2007] [error] [client 192.168.2.115] > gss_accept_sec_context() failed: A token was invalid (Token header is > malformed or corrupt) [Wed Nov 21 12:24:11 2007] [debug] src/ > mod_auth_kerb.c(1483): [client 192.168.2.115] kerb_authenticate_user > entered with user (NULL) and auth_type Kerberos [Wed Nov 21 12:24:11 > 2007] [debug] src/mod_auth_kerb.c(943): [client 192.168.2.115] Using > HTTP/[EMAIL PROTECTED] as server principal for > password verification [Wed Nov 21 12:24:11 2007] [debug] src/ > mod_auth_kerb.c(683): [client 192.168.2.115] Trying to get TGT for > user [EMAIL PROTECTED] [Wed Nov 21 12:24:11 2007] [debug] src/ > mod_auth_kerb.c(597): [client 192.168.2.115] Trying to verify > authenticity of KDC using principal HTTP/ > [EMAIL PROTECTED] > > The reason for that Problem is that the Browser tried to get a NTLM > Ticket but we dont know why .... everythings is configured for > Kerberos and for the most of all User it works fine. We check allready > different Browsers and we have this Problem with IE 6 & 7 and Firefox. > > I hope someone here had a great Idea what we can do. > > greetz > palm > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
