Single Sign-on for Your Web Applications with Apache and Kerberos
Subject:   I'm almost there...
Date:   2005-03-29 23:20:01
From:   Morpheus4you
Response to: Nice article, but i still can't get it to work (on FC2)

Thank you for pointing me to that module! I had seen it before, but overlooked it's capability for Negotiate support. btw, I liked your book. It is really helping me to understand how Kerberos works. If possible you should add more information about web authentication via the Negotiate protocol as you did in this article, but i'm confident you will do that ;)

Although transparent authentication via a winXP client with IE6, a webserver Apache 2 on Fedora Core2 and Windows 2003 Active directory as KDC doesn't work yet for me, i can succesfully do password authentication :)

The error that was left behind in Apache's error log for using the Negotiate method was:
[Wed Mar 30 08:44:34 2005] [error] [client] gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt)

When on the Fedora Core 2 machine, i try to authenticate using the keytab file, i get the following error:

[root@krbappserver conf.d]# kinit -k -t http.keytab
kinit(v5): Cannot find KDC for requested realm while getting initial credentials

However, this does work:

kinit http/krbappserver.kerberos.local
Password for http/krbappserver.kerberos.local@KERBEROS.LOCAL:

Shouldn't the authentication with the keytabe file just have worked?