Hi, We run a customer subscription website. Our customers are other
companies. A few of our customers have requested Single Sign On so their
employees don't have to enter credentials when accessing our site.
We would prefer to only have one domain, but authorize them via different
folders. I've setup two AD instances in our test environment.
Our setup is as follows:
*krb5.conf*
[libdefaults]
default_realm = AD.OURCOMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AD.OURCOMPANY.COM = {
kdc = 172.30.0.222
}
AD2.OURCOMPANY.COM = {
kdc = 172.30.0.184
}
[domain_realm]
#nothing
*Apache vhost file*
<VirtualHost *:443>
ServerName test.ourcompany.com
....
<LocationMatch "/ad$">
AuthType Kerberos
KrbServiceName HTTP/test.ourcompany....@ad.ourcompany.com
AuthName "The Nice Login Greeting Goes Here"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbVerifyKDC off
KrbAuthRealms AD.OURCOMPANY.COM
Krb5KeyTab /etc/ad.keytab
KrbSaveCredentials on
require valid-user
</LocationMatch>
<LocationMatch "/ad2$">
AuthType Kerberos
KrbServiceName HTTP/test.ourcompany....@ad2.ourcompany.com
AuthName "The Nice Login Greeting Goes Here"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbVerifyKDC off
KrbAuthRealms AD2.OURCOMPANY.COM
Krb5KeyTab /etc/ad2.keytab
KrbSaveCredentials on
require valid-user
</LocationMatch>
</VirtualHost>
I thought I had everything working, then I tried to change the password for
AD2 SPN's and it starting prompting for credentials when going to
test.ourcompany.com/ad2. test.ourcompany.com/ad still works great.
Although the domain names are AD and AD2, they are in no way related or have
a trusted relationship. After changing the password on AD2 I created a new
keytab file and restarted apache.
Before both AD server SPN's had the same username and password so it might
not have been working as I thought it did. I'm not sure??? That is why I
changed one of the SPN's passwords. I also read something about keytab
versions and kerberos might be looking for an older version??
I'm very sorry if this is a novice question. This is our first time doing
anything with Kerberos or LDAP/AD Any assistance would be greatly
appreciated.
Thanks,
Matt
--
View this message in context:
http://kerberos.996246.n3.nabble.com/Change-AD-Service-Principal-Name-Prompting-for-Credentials-tp44163.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
