[31656] in Kerberos
Re: Kerberos/Apache receiving Active Directory user/password in
daemon@ATHENA.MIT.EDU (LUISRAMOS)
Fri Nov 6 13:13:25 2009
Message-ID: <26230848.post@talk.nabble.com>
Date: Fri, 6 Nov 2009 10:12:50 -0800 (PST)
From: LUISRAMOS <LUIS.RAMOS@PFIZER.COM>
To: kerberos@mit.edu
In-Reply-To: <vte5s6-fr5.ln1@nb2.stroeder.com>
MIME-Version: 1.0
X-Nabble-From: LUIS.RAMOS@PFIZER.COM
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
We tried using the GSS module and it worked smoothly for Solaris 10, sincethe apache for this solaris version brings all the needed modules off theshelf. However, we havent been able to make it work in Solaris 9, lookslike we might be having an issue with the libraries needed to replicate thesame components Solaris 10 has. When we look at the error logs for Solaris9 this is what we get.
Client wants GSS mech: <unknown>
For Solaris 10, which it works nicely this is the meesage:
Client wants GSS mech: spnego
We are testing different alternatives with the compilation of the gss moduleto see what could we be missing.
Regards
Michael Ströder wrote:> > LUISRAMOS wrote:>> >> Michael Ströder wrote:>>> LUISRAMOS wrote:>>>> We have a unix web server with Apache were we installed kerberos to>>>> implement single sign on.>>> I guess you're using mod_auth_kerb?>>>>>>> The idea with this is to have the ability of autenticating through the>>>> Windows Active Directory once not needing to log again in the unix box.>>>> After the setup, the autentication works. When we log in to the unix>>>> server, a popup window asks for user/pwd. After entering user/pwd the>>>> credentials are autenticated against the windows active directory and>>>> the access to the unix/apache box is granted. However, what we want is>>>> to avoid this login popup. We noticed that when the popup window is>>>> displayed the following message is seeing in the popup: "Warning: This>>>> server is requesting that your username and password be sent in an >>>> insecure manner (basic authentication without a secure connection).>>>> Looks like the internet browser is sending the credentials in plain>>>> text to the unix box.>>>>>>>> Anybody has an idea on how we can configure Kerberos, or any other >>>> component to avoid this popup window.>>>>>> Set "KrbMethodK5Passwd off" in httpd.conf.>>>>>> See also: http://modauthkerb.sourceforge.net/configure.html>>>> Michael, I changed the parameter and got this message:>> >> Authorization Required>> This server could not verify that you are authorized to access the>> document>> requested. Either you supplied the wrong credentials (e.g., bad>> password),>> or your browser doesn't understand how to supply the credentials>> required.> > Well, you have to set up your environment to let the browser use> SPNEGO/Kerberos.> > Ciao, Michael.> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos> >
-- View this message in context: http://old.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26230848.htmlSent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
