Single Sign-on for Your Web Applications with Apache and Kerberos
Subject:   Nice article, but i still can't get it to work (on FC2)
Date:   2005-03-28 19:57:26
From:   jason_garman
Response to: Nice article, but i still can't get it to work (on FC2)

Hi, since I wrote the article, the mod_auth_kerb module has integrated support for GSSAPI. Have you tried that? You can find mod_auth_kerb at

-- Jason

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • I'm almost there...
    2005-03-29 23:20:01  Morpheus4you [View]

    Thank you for pointing me to that module! I had seen it before, but overlooked it's capability for Negotiate support. btw, I liked your book. It is really helping me to understand how Kerberos works. If possible you should add more information about web authentication via the Negotiate protocol as you did in this article, but i'm confident you will do that ;)

    Although transparent authentication via a winXP client with IE6, a webserver Apache 2 on Fedora Core2 and Windows 2003 Active directory as KDC doesn't work yet for me, i can succesfully do password authentication :)

    The error that was left behind in Apache's error log for using the Negotiate method was:
    [Wed Mar 30 08:44:34 2005] [error] [client] gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt)

    When on the Fedora Core 2 machine, i try to authenticate using the keytab file, i get the following error:

    [root@krbappserver conf.d]# kinit -k -t http.keytab
    kinit(v5): Cannot find KDC for requested realm while getting initial credentials

    However, this does work:

    kinit http/krbappserver.kerberos.local
    Password for http/krbappserver.kerberos.local@KERBEROS.LOCAL:

    Shouldn't the authentication with the keytabe file just have worked?