mod_auth_gssapi icon indicating copy to clipboard operation
mod_auth_gssapi copied to clipboard
verified publisher icon gssapi

Basic login works only first time

Open nestle2377 opened this issue 4 years ago • 0 comments

Hi, I'm implementing the mod_auth_gssapi and it works fine. I've a strange behaviour with chrome and basic login (when the client is not on domain). when the pop-up appears If I insert the correct credential the first time I'm succesfully logged in. If I type a wrong credential the pop-up appears again but now even I insert the correct credential I can't enter.

on the logs when this happen I've this entry:

[Thu Mar 11 10:09:29.699735 2021] [auth_gssapi:debug] [pid 79110:tid 140125019256576] mod_auth_gssapi.c(870): [client 10.211.30.219:56612] URI: /dominio/sigma/app/, no main, no prev
 [Thu Mar 11 10:09:29.815996 2021] [auth_gssapi:error] [pid 79110:tid 140125019256576] [client 10.211.30.219:56612] GSS ERROR gss_init_sec_context(): [Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)]

is strange that says that has no support for encryption type since it works in the first attempt.

this is my configuration:

    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiBasicAuth On
    KrbServiceName Any
    GssapiUseSessions On
   GssapiSessionKey key:<RANDOM>
    Session On
    SessionCookieName gssapi_session path=/dominio;domain=intranet.servizi;httponly;secure;
    GssapiCredStore keytab:/var/www/html/rf002/conf/sa_RF002-KRB-Svil.keytab
    Require valid-user

my krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SISTEMI.GROUP
 dns_lookup_kdc = true
 dns_lookup_realm = false
 ticket_lifetime = 86400
 renew_lifetime = 604800
 forwardable = true
 proxiable = true
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 udp_preference_limit = 1
 kdc_timeout = 3000

[realms]
SISTEMI.GROUP = {
 kdc = sisvrdc01.sistemi.group
 admin_server = sisvrdc01.sistemi.group
 kdc = sisvrdc02.sistemi.group
 kdc = sisnodc01.sistemi.group
 kdc = sisnodc02.sistemi.group
}

[domain_realm]

[capaths]
SEDI-DIREZIONI.GROUP = {
 SISTEMI.GROUP = KRONOS.GROUP
}

and my keytab:

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/[email protected] (aes256-cts-hmac-sha1-96)

any idea?

thanks!

nestle2377 avatar Mar 11 '21 09:03 nestle2377