I am reaaallly about to loose my mind with this issue so I hope you can help me. I have googled for hours but just cannot seem to get the right config.
I am setting up Apache on CentOS 7 with Kerberos authentication so that I can achieve SSO in a Windows AD environment. From my understanding this is possible and I should be able to achieve true SSO when accessing via Internet Explorer. Currently I have the following config which generates a 500 Internal Server Error when accessing the site via Internet Explorer but strangely works when using Firefox (albeit I have to enter credentials into a prompt).
I first generated a Service Principal and exported the keytab in Windows using the following command.
ktpass -princ HTTP/server.example.local@EXAMPLE.LOCAL -mapuser EXAMPLE\http-user -crypto ALL -ptype KRB5_NT_PRINCIPAL -mapop set -pass password -out D:\krb5.keytab
After copying the keytab to the CentOS server under /etc/httpd/conf/krb5.keytab
I have the following virtual host configured.
<VirtualHost *:80>
ServerName server.shc.local
DocumentRoot /var/www/html/test
LogLevel debug
ErrorLog /var/log/httpd/test-error.log
CustomLog /var/log/httpd/test-custom.log combined
<Location />
Options Indexes
AuthType Kerberos
KrbServiceName "HTTP/server.example.local@EXAMPLE.LOCAL"
AuthName "Welcome to the KRB5 Test"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbVerifyKDC off
KrbAuthRealms SHC.LOCAL
Krb5KeyTab /etc/httpd/conf/krb5.keytab
require valid-user
</Location>
</VirtualHost>
When I access the site via Internet Explorer I get a 500 Internal Server Error and the log looks like this:
[Mon Jun 27 19:14:07.552584 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552637 2016] [authz_core:debug] [pid 2832] mod_authz_core.c(809): [client 192.168.214.202:21545] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:14:07.552690 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21545] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:14:07.552747 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1295): [client 192.168.214.202:21545] Acquiring creds for HTTP/server.example.local@EXAMPLE.LOCAL
[Mon Jun 27 19:14:07.555237 2016] [auth_kerb:debug] [pid 2832] src/mod_auth_kerb.c(1155): [client 192.168.214.202:21545] GSS-API major_status:000d0000, minor_status:0000000d
[Mon Jun 27 19:14:07.555250 2016] [auth_kerb:error] [pid 2832] [client 192.168.214.202:21545] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied)
And then when I access the site via Firefox I get prompted to enter credentials but then I am successfully authenticated. The logs look like this:
[Mon Jun 27 19:16:49.936807 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936849 2016] [authz_core:debug] [pid 2828] mod_authz_core.c(809): [client 192.168.214.202:21577] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:49.936888 2016] [auth_kerb:debug] [pid 2828] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21577] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jun 27 19:16:50.042925 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042960 2016] [authz_core:debug] [pid 2829] mod_authz_core.c(809): [client 192.168.214.202:21578] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 27 19:16:50.042982 2016] [auth_kerb:debug] [pid 2829] src/mod_auth_kerb.c(1954): [client 192.168.214.202:21578] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Does anyone have any idea what I need to do to get seamless SSO working when accessing the site via Internet Explorer.
OK, I have finally worked this out. I had to disable SELinux! I cannot believe it was that simple but all I did was disable SElinux, restart the server and the authentication started working. I hope this saves someone else the headaches I have been having!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.