Search Results

Search found 8 results on 1 pages for 'kerb z'.

Page 1/1 | 1 

• Apache Bad Request "Size of a request header field exceeds server limit" with Kerberos SSO

  - by Aurelin

  I'm setting up an SSO for Active Directory users through a website that runs on an Apache (Apache2 on SLES 11.1), and when testing with Firefox it all works fine. But when I try to open the website in Internet Explorer 8 (Windows 7), all I get is "Bad Request Your browser sent a request that this server could not understand. Size of a request header field exceeds server limit. Authorization: Negotiate [ultra long string]" My vhost.cfg looks like this: <VirtualHost hostname:443> LimitRequestFieldSize 32760 LimitRequestLine 32760 LogLevel debug <Directory "/data/pwtool/sec-data/adbauth"> AuthName "Please login with your AD-credentials (Windows Account)" AuthType Kerberos KrbMethodNegotiate on KrbAuthRealms REALM.TLD KrbServiceName HTTP/hostname Krb5Keytab /data/pwtool/conf/http_hostname.krb5.keytab KrbMethodK5Passwd on KrbLocalUserMapping on Order allow,deny Allow from all </Directory> <Directory "/data/pwtool/sec-data/adbauth"> Require valid-user </Directory> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/hostname-server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/hostname-server.key </VirtualHost> I also made sure that the cookies are deleted and tried several smaller values for LimitRequestFieldSize and LimitRequestLine. Another thing that seems weird to me is that even with LogLevel debug I won't get any logs about this. The log's last line is ssl_engine_kernel.c(1879): OpenSSL: Write: SSL negotiation finished successfully Does anyone have an idea about that?

  Read the article

• Linking Linux MIT Kerberos with a Windows 2003 Active Directory

  - by Beerdude26

  Greetings, I was wondering how one might link a Linux MIT Kerberos with a Windows 2003 Active Directory to achieve the following: A user, [email protected], attempts to log in at an Apache website, which runs on the same server as the Linux MIT Kerberos. The Apache module first asks the local Linux MIT Kerberos if he knows a user by that name or realm. The MIT Kerberos finds out it isn't responsible for that realm, and forwards the request to the Windows 2003 Active Directory. The Windows 2003 Active Directory replies positively and gives this information to the Linux MIT Kerberos, which in turn tells this to the Apache module, which grants the user access to its files. Here is an image of the situation: http://img179.imageshack.us/img179/5092/linux2k3.png (I'm not allowed to embed images just yet.) The documentation I have read concerning this issue often differ from this problem: Some discuss linking up a MIT Kerberos with an Active Directory to gain access to resources on the Active Directory server; While another uses the link to authenticate Windows users to the MIT Kerberos through the Windows 2003 Active Directory. (My problem is the other way around.) So what my question boils down to, is this: Is it possible to have a Linux MIT Kerberos server pass through requests for a Active Directory realm, and then have it receive the reply and give it to the requesting service? (Although it's not a problem if the requesting service and the Windows 2003 Active Directory communicate directly.) Suggestions and constructive criticism are greatly appreciated. :)

  Read the article

• apache using mod_auth_kerb always asks for the password twice

  - by DrStalker

  (Debian Squeeze) I'm trying to set apache up to use Kerberos authentication to allow AD users to log in. It is working, but prompts the user twice for a username and password, with the first time being ignored (no matter what is put it in.) Only the second prompt includes the AuthName string from the config (i.e.: the first windows is a generic username/password one, the second includes the title "Kerberos Login") I'm not worried about integrated windows authentication working at this stage, I just want users to be able to login with their AD account so we don't need to set up a second repository of user accounts. How do I fix this to eliminate that first useless prompt? The directives in the apache2.conf file: <Directory /var/www/kerberos> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms ONEVUE.COM.AU.LOCAL Krb5KeyTab /etc/krb5.keytab KrbServiceName HTTP/[email protected] require valid-user </Directory> krb5.conf: [libdefaults] default_realm = ONEVUE.COM.AU.LOCAL [realms] ONEVUE.COM.AU.LOCAL = { kdc = SYD01PWDC01.ONEVUE.COM.AU.LOCAL master_kdc = SYD01PWDC01.ONEVUE.COM.AU.LOCAL admin_server = SYD01PWDC01.ONEVUE.COM.AU.LOCAL default_domain = ONEVUE.COM.AU.LOCAL } [login] krb4_convert = true krb4_get_tickets = false The access log when accessing the secured directory (note the two seperate 401's) 192.168.10.115 - - [24/Aug/2012:15:52:01 +1000] "GET /kerberos/ HTTP/1.1" 401 710 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1" 192.168.10.115 - - [24/Aug/2012:15:52:06 +1000] "GET /kerberos/ HTTP/1.1" 401 680 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1" 192.168.10.115 - [email protected] [24/Aug/2012:15:52:10 +1000] "GET /kerberos/ HTTP/1.1" 200 375 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1" And one line in error.log [Fri Aug 24 15:52:06 2012] [error] [client 192.168.0.115] gss_accept_sec_context(2) failed: An unsupported mechanism was requested (, Unknown error)

  Read the article

• Why does mod_auth_kerb have trouble using a machine account?

  - by joeforker

  Instructions for using mod_auth_kerb to authenticate a Linux web server against a Windows domain say it doesn't work to link a machine account with the service name HTTP\[email protected]. Why is it necessary to have a dummy user account instead of a machine account?

  Read the article

• Authentication through mod_auth_kerb should provide website with no user if no TGT provided

  - by loomi

  Users are authenticated by mod_auth_kerb which works great. Therefore I need to set Require valid-user If there is no valid user Apache fails with an 401 Authorization Required. I would like Apache to deliver the website anyway but not providing a remote_user to the underlying script. This is related to How to tell mod_auth_kerb to do its job despite no "require valid-user". But with the important difference that on a whole subdirectory on every url a kerberos negotation should be initiated, and if it fails it should deliver the content anyway.

  Read the article

• Compiling mod_auth_kerb on OS X

  - by bshacklett

  I'm trying to get mod_auth_kerb installed, but I can't seem to find any information on compiling it on OS X. I'm getting the following when I attempt to compile: ./apxs.sh "-I. -Ispnegokrb5 -I/include " "-dynamic -g -O2 -arch x86_64 -Wl,-search_paths_first -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lresolv" "" "/Applications/XAMPP/xamppfiles/bin/apxs" "-c" "src/mod_auth_kerb.c" /Applications/XAMPP/xamppfiles/build/libtool --silent --mode=compile gcc -prefer-pic -I/Applications/XAMPP/xamppfiles/include -L/Applications/XAMPP/xamppfiles/lib -mmacosx-version-min=10.4 -arch i386 -arch ppc -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -no-cpp-precomp -I/Applications/XAMPP/xamppfiles/include -I/Applications/XAMPP/xamppfiles/include -I/Applications/XAMPP/xamppfiles/include -I/Applications/XAMPP/xamppfiles/include -I. -Ispnegokrb5 -I/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo src/mod_auth_kerb.c: In function ‘authenticate_user_krb5pwd’: src/mod_auth_kerb.c:1030: warning: passing argument 8 of ‘verify_krb5_user’ discards qualifiers from pointer target type src/mod_auth_kerb.c: In function ‘authenticate_user_krb5pwd’: src/mod_auth_kerb.c:1030: warning: passing argument 8 of ‘verify_krb5_user’ discards qualifiers from pointer target type /Applications/XAMPP/xamppfiles/build/libtool --silent --mode=link gcc -o src/mod_auth_kerb.la -dynamic -g -O2 -arch x86_64 -Wl,-search_paths_first -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lresolv -rpath /Applications/XAMPP/xamppfiles/modules -module -avoid-version src/mod_auth_kerb.lo ld: warning: in src/.libs/mod_auth_kerb.o, missing required architecture x86_64 in file warning: no debug symbols in executable (-arch x86_64) I'm configuring as follows: ./configure --with-krb4=no CFLAGS='-g -O2 -arch x86_64' I should mention that I'm using XAMPP with the development package on this machine.

  Read the article

• Apache mod_auth_kerb asking 2 authentication

  - by Rianto Wahyudi

  I've configured Apache to use mod_auth_kerberos. So far everything is working nicely for client thats connected to Active Directory and have their browser to ntlm enabled. When clients are not in the domain or the browser configurerd not to authenticate automatically, they are being prompted by 2 login prompt. The first login prompt is blank and the second one is the oen that we configured First Login prompt: http://www.screencast.com/t/ZGNlZTQwZm Second Login prompt : http://www.screencast.com/t/MDA2N2Fl From the log ( first authentication) : [Wed Jan 06 15:47:29 2010] [debug] src/mod_auth_kerb.c(1684): [client x.x.x.x] [pid 2562] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos In the first loging prompt , I can put any text for username and password. Once the first login form submited, it will ask for the 2nd login prompt. Apache have following config : <Directory /web/apache2/htdocs> AllowOverride All AuthType Kerberos AuthName "Staff Access ONLY Kerb-Auth" KrbAuthRealms EXAMPLE.COM Krb5Keytab /etc/httpd/conf.d/example.ktab Allow from localhost Require valid-user <Directory> What could be the cause of the first authentication and how can I get rid of them ?

  Read the article

• Windows Impersonation failed

  - by skprocks

  I am using following code to implement impersonation for the particular windows account,which is failing.Please help. using System.Security.Principal; using System.Runtime.InteropServices; public partial class Source_AddNewProduct : System.Web.UI.Page { [DllImport("advapi32.dll", SetLastError = true)] static extern bool LogonUser( string principal, string authority, string password, LogonSessionType logonType, LogonProvider logonProvider, out IntPtr token); [DllImport("kernel32.dll", SetLastError = true)] static extern bool CloseHandle(IntPtr handle); enum LogonSessionType : uint { Interactive = 2, Network, Batch, Service, NetworkCleartext = 8, NewCredentials } enum LogonProvider : uint { Default = 0, // default for platform (use this!) WinNT35, // sends smoke signals to authority WinNT40, // uses NTLM WinNT50 // negotiates Kerb or NTLM } //impersonation is used when user tries to upload an image to a network drive protected void btnPrimaryPicUpload_Click1(object sender, EventArgs e) { try { string mDocumentExt = string.Empty; string mDocumentName = string.Empty; HttpPostedFile mUserPostedFile = null; HttpFileCollection mUploadedFiles = null; string xmlPath = string.Empty; FileStream fs = null; StreamReader file; string modify; mUploadedFiles = HttpContext.Current.Request.Files; mUserPostedFile = mUploadedFiles[0]; if (mUserPostedFile.ContentLength >= 0 && Path.GetFileName(mUserPostedFile.FileName) != "") { mDocumentName = Path.GetFileName(mUserPostedFile.FileName); mDocumentExt = Path.GetExtension(mDocumentName); mDocumentExt = mDocumentExt.ToLower(); if (mDocumentExt != ".jpg" && mDocumentExt != ".JPG" && mDocumentExt != ".gif" && mDocumentExt != ".GIF" && mDocumentExt != ".jpeg" && mDocumentExt != ".JPEG" && mDocumentExt != ".tiff" && mDocumentExt != ".TIFF" && mDocumentExt != ".png" && mDocumentExt != ".PNG" && mDocumentExt != ".raw" && mDocumentExt != ".RAW" && mDocumentExt != ".bmp" && mDocumentExt != ".BMP" && mDocumentExt != ".TIF" && mDocumentExt != ".tif") { Page.RegisterStartupScript("select", "<script language=" + Convert.ToChar(34) + "VBScript" + Convert.ToChar(34) + "> MsgBox " + Convert.ToChar(34) + "Please upload valid picture file format" + Convert.ToChar(34) + " , " + Convert.ToChar(34) + "64" + Convert.ToChar(34) + " , " + Convert.ToChar(34) + "WFISware" + Convert.ToChar(34) + "</script>"); } else { int intDocLen = mUserPostedFile.ContentLength; byte[] imageBytes = new byte[intDocLen]; mUserPostedFile.InputStream.Read(imageBytes, 0, mUserPostedFile.ContentLength); //xmlPath = @ConfigurationManager.AppSettings["ImagePath"].ToString(); xmlPath = Server.MapPath("./../ProductImages/"); mDocumentName = Guid.NewGuid().ToString().Replace("-", "") + System.IO.Path.GetExtension(mUserPostedFile.FileName); //if (System.IO.Path.GetExtension(mUserPostedFile.FileName) == ".jpg") //{ //} //if (System.IO.Path.GetExtension(mUserPostedFile.FileName) == ".gif") //{ //} mUserPostedFile.SaveAs(xmlPath + mDocumentName); //Remove commenting till upto stmt xmlPath = "./../ProductImages/"; to implement impersonation byte[] bytContent; IntPtr token = IntPtr.Zero; WindowsImpersonationContext impersonatedUser = null; try { // Note: Credentials should be encrypted in configuration file bool result = LogonUser(ConfigurationManager.AppSettings["ServiceAccount"].ToString(), "ad-ent", ConfigurationManager.AppSettings["ServiceAccountPassword"].ToString(), LogonSessionType.Network, LogonProvider.Default, out token); if (result) { WindowsIdentity id = new WindowsIdentity(token); // Begin impersonation impersonatedUser = id.Impersonate(); mUserPostedFile.SaveAs(xmlPath + mDocumentName); } else { throw new Exception("Identity impersonation has failed."); } } catch { throw; } finally { // Stop impersonation and revert to the process identity if (impersonatedUser != null) impersonatedUser.Undo(); // Free the token if (token != IntPtr.Zero) CloseHandle(token); } xmlPath = "./../ProductImages/"; xmlPath = xmlPath + mDocumentName; string o_image = xmlPath; //For impersoantion uncomment this line and comment next line //string o_image = "../ProductImages/" + mDocumentName; ViewState["masterImage"] = o_image; //fs = new FileStream(xmlPath, FileMode.Open, FileAccess.Read); //file = new StreamReader(fs, Encoding.UTF8); //modify = file.ReadToEnd(); //file.Close(); //commented by saurabh kumar 28may'09 imgImage.Visible = true; imgImage.ImageUrl = ViewState["masterImage"].ToString(); img_Label1.Visible = false; } //e.Values["TemplateContent"] = modify; //e.Values["TemplateName"] = mDocumentName.Replace(".xml", ""); } } catch (Exception ex) { ExceptionUtil.UI(ex); Response.Redirect("errorpage.aspx"); } } } The code on execution throws system.invalidoperation exception.I have provided full control to destination folder to the windows service account that i am impersonating.

  Read the article

1