Hi Thank you all for your answers.
At this stage I'm only interested to pass the authentication phase ; for authorisation I have a plan already (using ldap) On 8 February 2011 07:45, Douglas E. Engert <[email protected]> wrote: > > Is you PC Windows? Is it in a domain? If so which domain. It is a windows PC, however it's not on any domain. > Did you get the ticket using the Windows kerberos, or some other kerberos? Using MIT Kerberos for PCs. > > Is the browser IE or some other browser using non-windows Kerberos? That's using Firefox. I get the same behaviour connecting from a mac , also with Firefox However, someone who replied directly to me gave me a great hint and suggested that the MIT kdc may have been configured to use AES by default ; and sure enough: kadmin.local: getprinc krbtgt/[email protected] Principal: krbtgt/[email protected] Expiration date: [never] Last password change: Mon Feb 07 15:57:45 EST 2011 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Feb 07 15:57:45 EST 2011 (root/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 9 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 Key: vno 1, DES cbc mode with RSA-MD5, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Attributes: REQUIRES_PRE_AUTH Policy: [none] So in Windows Sever, domain & trust , I checked the "the other domain supports Kerberos AES encryption" and now when connecting I see on the M.DOMAIN.COM kdc: Feb 08 09:02:10 m.domain.com krb5kdc[75](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 60.242.40.141: ISSUE: authtime 1297115394, etypes {rep=23 tkt=16 ses=18}, [email protected] for HTTP/[email protected] And no more Decrypt integrity check failed Now if fails somewhere else ; and on the web server I see: [Tue Feb 08 09:13:29 2011] [error] [client 1.2.3.4] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, No key table entry found for HTTP/[email protected]) So it would seem the keytab on the web server running mod_auth_kerb will also need a realm created on the new MEL.DOMAIN.COM kdc .. Jean-Yves ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
