[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

http negotiate auth: credentials delegation problem


I have a strange problem with http negotiate authentication, which I
cannot solve on my own and I would greatly appreciate any help.

My setup:
kdc: freebsd + heimdal v. 1.0.1
web server: freebsd + apache 2.2.6 + mod_auth_kerb 5.3 + heimdal 1.0.1
client 1: freebsd + heimdal 1.0.1 + firefox
client 2: winxp (not a member of AD domain) + mit kfw 3.1 + firefox

.htaccess on webserver:
AuthName "Test"
AuthType Kerberos

KrbVerifyKDC on
KrbSaveCredentials on
Krb5Keytab /usr/local/etc/apache22/krb5_http_webserv.r61.net.keytab

AuthLDAPBindPassword jiltojki
AuthzLDAPAuthoritative on
require ldap-attribute allowedService=core-adm

require valid-user

On both clients firefox settings network.negotiate-auth.delegation-uris
and network.negotiate-auth.trusted-uris are set to the name of the

This setup used to work some time ago: I could successfully log into
web-server using negotiate authentication and my credentials were
successfully delegated to the web-server. I can't remember exactly, but
it seems that we had heimdal 0.7 at that time on both clients and

Currently I still can log into web-server with negotiate authentication
from both clients. But with freebsd client (client 1) I see no more
credentials forwarding: authentication succeeds, but there is no
credentials cache on server side (and no errors in logs). At the same
time windows client does forward credentials just as expected. 

I've checked all the configs and everything seems to be correct. I did
some code digging on the server side and as I can see mod_auth_kerb
indeed receives no credentials from GSSAPI. I've also enabled log in
firefox and it reports "using REQ_DELEGATE" which, as far as I
understand, means that firefox allows delegation.

Unfortunately I'm not familiar with heimdal code, so could someone tell
me how can I see if heimdal on the client performs credentials
delegation or not? Or maybe (I don't even expect this) somebody will
even tell me how can I solve my problem...

Oleg Sharoiko