Hi Vincent,

According to the details you gave, you seems to have a valid Kerberos ticket and correctly configured Firefox client. However the problem is often on the server side when SSO doesn't work. In most case the server doesn't send the http 401 stimulation and so Firefox doesn't answer with the Kerberos ticket and instead you fallback in classic form authentication.

As I am also french, you could contact be my mail to try to figure what happen.

Fabrice

I just sent you a private message. But there's a little bug I think, you have the same nickname as another, so i must reply to both to get my message sent..

I think we should find another way to communicate.

Anyway, thanks for your interest !

But my problem is still here.. So if anyone has a solution, some tips.. I'm taking them !

Sorry for the double post, but I provide here some additional data about the http 401 stimulation. I looked at the http headers, and all seems normal, I don't understand why I keep falling in basic authentication :

http://s-intranet2/

GET / HTTP/1.1
Host: s-intranet2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 401 Authorization Required
Date: Mon, 16 Jul 2012 15:14:35 GMT
Server: Apache
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Veuillez vous identifier"
Content-Length: 401
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
http://s-intranet2/

GET / HTTP/1.1
Host: s-intranet2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Negotiate YIIGFQYGKwYBBQUCoIIGCTCCBgWgCjAIBgYrBgEFAgWiggX1BIIF8WCCBe0GBisGAQUCBQUBMBehFQQTSU5UUkFORVQtQk9VUkdFUy5GUmyCBcYwggXCoQMCAQWiAwIBDKOCBTQwggUwMIIFLKEDAgEBooIFIwSCBR9uggUbMIIFF6ADAgEFoQMCAQ6iBwMFAAAAAACjggREYYIEQDCCBDygAwIBBaEVGxNJTlRSQU5FVC1CT1VSR0VTLkZSoigwJqADAgEAoR8wHRsGa3JidGd0GxNJTlRSQU5FVC1CT1VSR0VTLkZSo4ID8jCCA+6gAwIBF6EFAgMBhqKiggPeBIID2gaib39cj5WLiydVHTbvnB+N1W92B7Qikx2sh3RfoqmPvT/oFizCBfvbJpeH4eYxt8QddADARsFaGxBZL7ondngyXtpVGne3iecaL3mqliCA0h0/0mx5ywQmbOxGiOv+SIqchflwyePoTUwRvVnqVBh6pOUWOWtdoWzQdt1oTk8OEppfBt+U6gVVFfFZHIuRPlQq+9UDSXg9i6bvk5rok09+SWHCWEmykHAwZAa+LNSzkjziOjGMghwYIhEj+XxuvWxzXrB73fHNq0Nn36xVpkZI1PxNR7/1YApj+GxdYGJTQ4t/2hWypCQ1d0znYRcLG1/PZZsggfMLKTrI6aIhTLRr7lqp2ZNYShmPdwLEtrXt6dk9Cf2xZ1YYaGCRi1seWp1gqFeEV/V2Pw/IzwEMmBNw69F4O3uHPGkGGfHII1VKrg86w0opFtBJtk+epH2IgjINNlWQjeBP/XuhtNhiP6ZGbuUD58OfCDYnNGpW9hpWK8BjE2dxT39bH8HuKO3PY8Kb8MZQF4uKSSRz+OHFJevJwUEJ8ppZyBjDbqcSoVnx2PXIlMxyNpEQhBBVkLNEamITePMVfZUp8uytwr1yIZPUz2AE8+eGlzQvowEOQTyYpjmI7gfsRrS+Tve4xXWfkBp0xOW0QCJd6gcDOD++p1iLXpTlwKBhqAzlKsPQqzKLZ5ypXMt/+vDicwPOtDi5icteCIA7X2sVxce0raRV2p8aBeK8LXN2ZDROtPiZPgq8DeKdoZ+PCdNWwBYqFKZRzZpd2Z9k5gPPVVLQ1+tyOZ/0bGK6qZtHqmGB7q5hWZvMo5xhHJlPKKeghKR9WHSOjMgi4ok1LLMawNnfbbgN14pZFrbhafdroEoEUec2mZjZSDe2ZfWgsVnE5b2SKX/X55ipMORv/pgkbtS+z1iylekJOHWP6wF9XCZ/55FvsxNE50yo13wun3AQKmVkf4a3Re6WV4IWRu9FSg1Rmd0mAXcbOc0/9reWA42j/8MeTiPuJCvvyP0rvqUQv9bLyS0tVsRHYEK9kkta9iqQRxZh9JUl6FN17RGO8AAdCHjoU8PkOzbci5fU7L5MDf3WmrsyNMjC1hkrQ/ZN47Uf82V11+wr+AWTGg4ddGQAI5YupyaL6MszA+5LnfxbcAE8RNRw/K0likA3x4ksJqlFERyRpwX9AcNXxtF1fLeHu+xoj+GdpJ+jffcdAdTo0OwI90stnrly/Yol/flqvDxRjLmW4y2yMI0lKdNYh78yOtMt05hRq807u9r5H4ogQYXzrlfcH28bo6IJw1d2EuLP1DVXytDIAWM+Alk4DQvlpIG5MIG2oAMCAReiga4EgaujYghu9f2l4ZlCR42mNFJCFIgpAXrvsAUdMNs/wgfk0pI5ibfO+qn9PO18DaLioz645F1doyfpdNENlx8N1rOnoXQng8jhOSpMIxpX7k6rdTvOSfPBT18krXjH/SrWwPOgzxoJPKZ9ZtbVKTEvHcBFSCVBmklgJCxrfNyI7tQ89WGNi6lpLpwVqiiZjZ3wTtXOaPg+92TCcwVbzDRybL36oIXNZtweZ9Q4ma2kfjB8oAcDBQAAgQAAohUbE0lOVFJBTkVULUJPVVJHRVMuRlKjLDAqoAMCAQOhIzAhGwRIVFRQGxlpbnRyYW5ldC52aWxsZS1ib3VyZ2VzLmZypREYDzIwMTIwNzE3MDExODAzWqcGAgRQBDEaqBEwDwIBEgIBEQIBFwIBAwIBAQ==

HTTP/1.1 401 Authorization Required
Date: Mon, 16 Jul 2012 15:14:35 GMT
Server: Apache
WWW-Authenticate: Basic realm="Veuillez vous identifier"
Content-Length: 401
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------

What are you using on the Web server side to achieve SSO?  What is the web server platform you're using and how are you trying to get SSO?  Obviously you're trying to get Kerberos to work, but it would be helpful to know how you're configuring the backend.

Did the network trace show any errors?

Please note that we have great for solutions for SSO access to applications running on Apache, JBoss, Tomcat, Weblogic and Websphere that will gurantee you will get SSO access and will work much more reliably than moth_auth_kerb type solutions while giving you NTLM, Basic authentication and group membership based authorization.  You can find more information here.

Hello,

I'm using (or more precisely, the company i'm working for) Apache, with the mod_auth_kerb plugin.

I took a look at the backend, and it seems to have a problem with the configuration.

Krb5ServiceName seems to be misconfigured and this is maybe why my keytab is rejected.

The configured SPN is :

Krb5ServiceName = HTTP/s-intranet2.intranet-bourges.fr@INTRANET-BOURGES.FR

 And when i'm looking at my keytab, the SPN is :

HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR

I will do some tests tomorrow and I'll keep this post updated.

Thanks for the link, but as I'm only an intern, the company don't want to put some money in this for the moment (because the Linux integration is only a project, and because all pc's are with Windows; mot_auth_kerb works well with Windows authentication).

The network trace shows that the Linux client see that the server can use Neogication, sends the kerberos token to the server, and then the server re-sends an HTTP 401 GET, with only basic authentication (which means that the token is rejected).

If I were you as part of your write-up I would advice your management that mod_auth_kerb doesn't provide:

1) Fallback to NTLM or Basic authentication in case of Kerberos failures like the one you're experiencing.

2) Centralized Authorization capabilities based on AD group membership

3) The ability to bring back to the application all AD user attributes

4) No support

If they would like an Enterprise solution, mod_auth_kerb won't provide them that.

With that said, your issue is likely due to the fact that you haven't registered the URL as an SPN for the computer account.

The easiest way to do this is to leave the machine from the domain by running the adleave command:

/usr/sbin/adleave -u <adusername> -r

The run the adjoin command like you did before except that this time you want to add the -a option and enter all of the URLs associated with this web server like so:

/usr/sbin/adjoin -w -u <adusername> -c <OU> -a url1.company.com -a url2.company.com <addomain>

After you joined the system to AD, the output of the following command will display all of the SPNs associated with the computer account.

adinfo -C

Then on the client side be sure to lock your screen and to unlock it.  This will flush your Kerberos cache and force IE to get a new TGS for the web server.

If you're still having issues, run a network trace.

Another thing to be aware of is encryption type mismatch.  Centrify uses the strongest algorithm type the AD environment we're joining supports (ie. aes 256 for Windows 2008 environment).  Mod_auth_kerb may only support weaker encryption types.

Good luck.

mod_auth_kerb allow basic fallback authentication with the right config, that's what I'm experiencing.

By the way, I tested your tips and it didn't work at all, I can't join the domain.

I issue this command :

/usr/sbin/adjoin -u <username> -w -a s-intranet2.intranet-bourges.fr -a s-dev.intranet-bourges.fr -a s-exchange2.intranet-bourges.fr INTRANET-BOURGES.FR

 And then I get this error message :

Using writable domain controller: s-dc1.intranet-bourges.fr
Error: One or more of the following SPNs already associated with other account in the forest: 
HTTP/client-02
HTTP/client-02.intranet-bourges.fr
HTTP/s-dev.intranet-bourges.fr
HTTP/s-exchange2.intranet-bourges.fr
HTTP/s-intranet2.intranet-bourges.fr
host/client-02
host/client-02.intranet-bourges.fr
host/s-dev.intranet-bourges.fr
host/s-exchange2.intranet-bourges.fr
host/s-intranet2.intranet-bourges.fr
Accounts that contain same SPNs are: 
CN=httpd-sdev,OU=ADM,DC=intranet-bourges,DC=fr
CN=httpd-intranet,OU=ADM,DC=
Each SPN must be unique across the forest. Please make sure the SPNs listed above are unique across the forest before joining.

Join to domain 'INTRANET-BOURGES.FR', zone 'Auto Zone' failed.

 When I'm doing the command withtout any -a arguments, I join the AD Domain without any problems. But I can't do SSO, because of the lack of the right SPN in the keytab.

As far as I know, there is on the AD two user accounts made for HTTP SPN for each website i'm trying to do SSO for. They are mandatory to perform SSO on Windows.

Is there any way to bypass this limitation, or a way to edit the keytab to get right SPNs configured ?

Yes. You can try to get mod_auth_kerb to fallback to Basic but my past research uncovered many people had issues trying to get it to work.

Even if you get it to work reliably you won't have support for the solution, AD group authorization capabilities,etc. 

Its an option to present to your management if they want an Enterprise solution.  It will also come across like you've done research, etc. 

The reason the suggestion didn't work is because Kerberos principals have to be unique in Kerberos realm and since the SPN you're trying to associate with a new computer account is already associated with another computer/user account, the join fails.

If you have two user accounts with the right SPNs already registered, you need use those user accounts to obtain the TGS and then use keytabs for those user accounts to validate the TGS on the server side.  This would also explain why you're getting a failure with SSO.

There is a way to get what you're trying to do to work.

1) Create a keytab for each user account and tell mod_auth_kerb to use the appropriate keytab.  You can use the Centrify provided adkeytab utility to do this.  Man adkeytab for more details.  Mod_auth_kerb has a Krb5Keytab directive you can use to specify which keytab to use.

2) Create a keytab for each user account (Man adkeytab for more details) and merge the keytab(s) witht the machine keytab.  The ktutil command will help you merge the keytabs.  Man ktutil or search the Web for details.

In summary principals and SPNs must be unique in AD.  If you already have user accounts with the SPNs created for the URLs that will be used, you need to create keytabs based on those user accounts.  Mod_auth_kerb will have to use a keytab that contains the SPNs and secret key of the principals the SPNs are associated with to properly verify the TGS being forwarded by the browser.

Good luck.