Problems occur when accessing a Kerberos-protected site by IP address. For instance:
http:/10.10.1.x:3001/ crashes.
http:/my-host:3001/ sso succeeds.
Apache error logs say:
src / mod_auth_kerb.c (1261): [client 10.10.1.x] Credits for HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred () failed: Unspecified GSS failure. A minor code may provide additional information (Key entry in the table not found)
src / mod_auth_kerb.c (1261): [client 10.10.1.x Purchasing loans for HTTP @ my-host [debug] src / mod_auth_kerb.c (1407): [client 10.10.1.x] Checking client data using GSS -API KRB5 [debug] src / mod_auth_kerb.c (1423): [client 10.10.1.x] Confirmation returned code 0
As you can see, Kerberos is trying to find executives HTTP@10.10.1.xor HTTP@my-host. For both participants, dummy accounts are created in ActiveDirectory. The keytab file also includes both of them:
KVNO Timestamp Principal
5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
Kinit works for both of them.
Kerberos configuration on the server:
Krb5Keytab /etc/krb5.keytab
AuthType Kerberos
KrbMethodNegotiate On
AuthName "Kerberos Login"
KrbAuthRealms MY_DOMAIN.LAN
KrbVerifyKDC Off
KrbMethodK5Passwd On
Require valid-user
Someone could guess where the problem is? Can I use an IP address in Kerberos SSO?
source
share