mod_auth_kerb failing when invalid credentials given

Morris, Andi amorris at cardiffmet.ac.uk
Tue Aug 18 07:02:37 EDT 2015 

Hi all,
Apologies for cross posting, I've also posted this on the Apache users mailing list, as I think that's where the problem actually lies, but I thought as this is a Shibboleth setup someone here might be able to help. For reference it's an IdP setup using Apache with the Tomcat connector to Shiboleth on port 8009. I'm using the mod_auth_kerb module of httpd and the RemoteUser handler of Shibboleth IdP.

"I have two Apache 2.2.15 servers running on Redhat 6.7, both of which are using the mod_auth_kerb module to authenticate users. As far as I can see the apache and module config is identical, but I'm seeing different behaviour when a user enters an invalid username. One will just reprompt for the credentials, the other gives a 403 Forbidden error. This doesn't happen when the user enters an invalid password with a valid user, in this instance the user gets reprompted for the password.

My auth_kerb.conf file is identical apart from the keytab filename on both:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /idp/Authn/RemoteUser>
SSLRequireSSL
AuthType Kerberos
AuthName "Shib Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.AC.UK
Krb5KeyTab /etc/shibdevkerb.keytab
KrbSaveCredentials On
KrbServiceName HTTP/server.dev.publicdomain.ac.uk at DOMAIN.AC.UK<mailto:HTTP/server.dev.publicdomain.ac.uk at DOMAIN.AC.UK>
require valid-user
</Location>

I can successfully perform a kinit on both, so Kerberos is working ok as far as I can tell. However I'm not sure why the invalid user would be rejected on one and not the other.

The error log on the failing server shows:
[Tue Aug 18 11:29:58 2015] [error] [client 192.168.219.233] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error), referer: https://server.publicdomain.ac.uk/CookieAuth.dll?GetLogon?curl=Z2FidpZ2FAuthnZ2FRemoteUser&reason=0&formdir=2

For reference, this server is part of a Shibboleth IdP setup, published to the internet using MS Forefront TMG. Once authentication has happened, the Apache server passes onto a Tomcat server for the Shibboleth functions to run using the RemoteUser handler.

Can somebody please point out just where I might be able to find the thing that is different between these servers in order to resolve this?"

Cheers,
Andi
________________________________

[Cardiff Metropolitan University - 150 years of nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150818/701f3b4f/attachment-0001.html>

More information about the users mailing list