Apache Kerberos未从Windows客户端进行身份验证_Apache_Authentication_Kerberos

Apache Kerberos未从Windows客户端进行身份验证

apache authentication

Apache Kerberos未从Windows客户端进行身份验证,apache,authentication,kerberos,Apache,Authentication,Kerberos,有很多优秀的网站可供参考，我在Solaris 11上设置了一个Apache 2.4环境，使用auth_gss_模块进行Kerberos身份验证。我遇到的问题是无法在Windows7或WindowsServer2008上使用IE、Chrome或Firefox访问授权页面。我已经成功地使用curl和python脚本以及osx10.10上的Safari和Firefox浏览器访问了安全页面。我列出了成功和失败的Kerberos身份验证尝试的输出。我不确定是AD中的配置设置需要更改，还是加密差异。我正在寻

有很多优秀的网站可供参考，我在Solaris 11上设置了一个Apache 2.4环境，使用auth_gss_模块进行Kerberos身份验证。我遇到的问题是无法在Windows7或WindowsServer2008上使用IE、Chrome或Firefox访问授权页面。我已经成功地使用curl和python脚本以及osx10.10上的Safari和Firefox浏览器访问了安全页面。我列出了成功和失败的Kerberos身份验证尝试的输出。我不确定是AD中的配置设置需要更改，还是加密差异。我正在寻找关于下一步做什么的建议。谢谢

广告管理员为我创建了一个键选项卡，这是键选项卡的内容

 cyoull@host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab                                                                                                              
Keytab name: FILE:host0ad903_keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 HTTP/host0ad903.abc.def.net@ABC.DEF.NET

在OSX上，这是来自klist命令的kerberos票证列表

Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
        Principal: cyoull@ABC.DEF.NET

  Issued                Expires               Principal
Sep 25 07:22:52 2015  Sep 25 17:22:40 2015  krbtgt/ABC.DEF.NET@ABC.DEF.NET
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
        Principal: cyoull@ABC.DEF.NET

  Issued                Expires               Principal
Sep 25 07:22:52 2015  Sep 25 17:22:40 2015  krbtgt/ABC.DEF.NET@ABC.DEF.NET
Sep 25 07:23:06 2015  Sep 25 17:22:40 2015  HTTP/host0ad903.abc.def.net@ABC.DEF.NET

Valid starting               Expires               Service principal
18/09/2015 10:17  18/09/2015 20:17  krbtgt/ABC.DEF.NET@ABC.DEF.NET
        renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC 
18/09/2015 10:17  18/09/2015 20:17  HTTP/host0ad903.abc.def.net@ABC.DEF.NET
        renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

这是在OS X上通过Safari的Kerberos身份验证成功访问安全页面后的Apache日志

[Fri Sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] No authentication data found
[Fri Sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called
[Fri Sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] Client wants GSS mech: spnego
[Fri Sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: HTTP@host0ad903.abc.def.net
[Fri Sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] Authenticated user (final result) : cyoull@ABC.DEF.NET

使用Firefox中的开发人员工具，我看到三个GET请求，在apache日志文件中，kerberos协商似乎尝试了多次，然后失败，出现了一个错误

[Fri Sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] No authentication data found
[Fri Sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: spnego
[Fri Sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: <unknown>
[Fri Sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP/host0ad903.abc.def.net@abc.def.net
[Fri Sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: Invalid token was supplied (Unknown error)
[Fri Sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>

[Fri Sep 25 08:54:28.205356 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（620）：[client 10.211.8.122:52459]gss_authenticate:type=GSSAPI
[Fri Sep 25 08:54:28.205366 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（632）：[client 10.211.8.122:52459]未找到身份验证数据
[Fri Sep 25 08:54:28.205374 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（592）：[client 10.211.8.122:52459]注意_gss_auth_失败：auth_name=
[Fri Sep 25 08:54:28.471160 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（620）：[client 10.211.8.122:52459]gss_authenticate:type=GSSAPI
[Fri Sep 25 08:54:28.471170 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（334）：[client 10.211.8.122:52459]验证用户身份
[Fri Sep 25 08:54:28.471187 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（373）：[client 10.211.8.122:52459]使用keytab:KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（411）：[client 10.211.8.122:52459]客户需要gss机械：spnego
[Fri Sep 25 08:54:28.471307 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（288）：[client 10.211.8.122:52459]获取用于HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（438）：[client 10.211.8.122:52459]获得以下服务器信誉：HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（650）：[client 10.211.8.122:52459]身份验证失败。
[Fri Sep 25 08:54:28.475157 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（592）：[client 10.211.8.122:52459]注意_gss_auth_失败：auth_name=
[Fri Sep 25 08:54:28.540288 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（620）：[client 10.211.8.122:52459]gss_authenticate:type=GSSAPI
[Fri Sep 25 08:54:28.540296 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（334）：[client 10.211.8.122:52459]验证用户身份
[Fri Sep 25 08:54:28.540310 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（373）：[client 10.211.8.122:52459]使用keytab:KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（411）：[client 10.211.8.122:52459]客户需要gss机械：
[Fri Sep 25 08:54:28.540353 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（288）：[client 10.211.8.122:52459]获取用于HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（438）：[client 10.211.8.122:52459]获得了以下服务器凭据：HTTP/host0ad903.abc.def。net@abc.def.net
[Fri Sep 25 08:54:28.543188 2015][core:error][pid 24150:tid 24][client 10.211.8.122:52459]gss_accept_sec_context（）失败：提供了无效令牌（未知错误）
[Fri Sep 25 08:54:28.543336 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（650）：[client 10.211.8.122:52459]身份验证失败。
[Fri Sep 25 08:54:28.543349 2015][core:debug][pid 24150:tid 24]mod_auth_gss.c（592）：[client 10.211.8.122:52459]注意_gss_auth_失败：auth_name=

您是否已将Windows上的web浏览器配置为实际与此服务器进行HTTP协商？例如，在Firefox中，您需要设置：

network.negotiate-auth.trusted-uris = abc.def.net

或者其他与URL匹配的模式。同样，必须告知Chrome愿意向特定服务器进行身份验证，例如：

--auth-server-whitelist="*.foo.com"

或通过集团政策

如果这不是问题所在，请执行以下操作：

ipconfig/flushdns

klist清除

运行Wireshark并在故障期间捕获HTTP、DNS和Kerberos流量（端口80、53和88）

发布生成的pcap文件