mod_auth_kerb failing when invalid credentials given

Morris, Andi amorris at
Tue Aug 18 07:02:37 EDT 2015

Hi all,
Apologies for cross posting, I've also posted this on the Apache users mailing list, as I think that's where the problem actually lies, but I thought as this is a Shibboleth setup someone here might be able to help. For reference it's an IdP setup using Apache with the Tomcat connector to Shiboleth on port 8009. I'm using the mod_auth_kerb module of httpd and the RemoteUser handler of Shibboleth IdP.

"I have two Apache 2.2.15 servers running on Redhat 6.7, both of which are using the mod_auth_kerb module to authenticate users. As far as I can see the apache and module config is identical, but I'm seeing different behaviour when a user enters an invalid username. One will just reprompt for the credentials, the other gives a 403 Forbidden error. This doesn't happen when the user enters an invalid password with a valid user, in this instance the user gets reprompted for the password.

My auth_kerb.conf file is identical apart from the keytab filename on both:
LoadModule auth_kerb_module modules/
<Location /idp/Authn/RemoteUser>
AuthType Kerberos
AuthName "Shib Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.AC.UK
Krb5KeyTab /etc/shibdevkerb.keytab
KrbSaveCredentials On
KrbServiceName HTTP/ at DOMAIN.AC.UK<mailto:HTTP/ at DOMAIN.AC.UK>
require valid-user

I can successfully perform a kinit on both, so Kerberos is working ok as far as I can tell. However I'm not sure why the invalid user would be rejected on one and not the other.

The error log on the failing server shows:
[Tue Aug 18 11:29:58 2015] [error] [client] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error), referer:

For reference, this server is part of a Shibboleth IdP setup, published to the internet using MS Forefront TMG. Once authentication has happened, the Apache server passes onto a Tomcat server for the Shibboleth functions to run using the RemoteUser handler.

Can somebody please point out just where I might be able to find the thing that is different between these servers in order to resolve this?"


[Cardiff Metropolitan University - 150 years of nurturing talent]<>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list