Sanjay this is confusing for you to reply to the kerberos digest email with your own issue. Create a new email with its own subject for your question.
Please send an email directly to the kerbe...@mit.wsu list. On Mon, Oct 22, 2018, 7:52 AM Sanjay Kumar Sahu <sanjaysahu.onl...@gmail.com> wrote: > HI ! > > Currently we are facing Kerberos authentication issue in our RHEL7 server > running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously > it's Crypto type=all. Please check following with the details. > > We are using mod_auth_kerb on Red Hat Enterprise Linux for our application > MediaWiki 1.30.0 running in Apache/2.4 > And we never face any issue related to kerberos authentication till then we > used the keytab with following cipher algorithm in the encryption method. > (des-cbc-crc) > (des-cbc-md5) > (aes256-cts-hmac-sha1-96) > (aes128-cts-hmac-sha1-96) > > Later, the DES crypto type is catagoried in weak crypto type and it's > denied to use in Produciton for security reason. > > And we are asked to use the keytab using Advanced Encryption Standard (AES) > Cryptography with either of types (AES128 or AES265) for following cipher > algorithm. > > (aes256-cts-hmac-sha1-96) > (aes128-cts-hmac-sha1-96) > > But, unfortunately neither of the keytab encrypted with AES Crypto (AES128 > or AES265) are working under Apache/2.4 and throws following error in HTTPD > server Error_log. > > > Error_log > ----------------- > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may > provide more information (, No key table entry found for the SPN) > > Please let us know if there is any solution to resolve the issue for > kerberos. > > On Sun, Oct 21, 2018 at 9:32 PM <kerberos-requ...@mit.edu> wrote: > > > Send Kerberos mailing list submissions to > > kerberos@mit.edu > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://mailman.mit.edu/mailman/listinfo/kerberos > > or, via email, send a message with subject or body 'help' to > > kerberos-requ...@mit.edu > > > > You can reach the person managing the list at > > kerberos-ow...@mit.edu > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Kerberos digest..." > > > > > > Today's Topics: > > > > 1. Make Windows Firefox Use Ticket gained via OpenConnect VPN > > Connection (chiasa.men) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Sat, 20 Oct 2018 22:09:57 +0200 > > From: "chiasa.men" <chiasa....@web.de> > > Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN > > Connection > > To: kerberos@mit.edu > > Message-ID: <25678829.3fpAYYNG7q@march> > > Content-Type: text/plain; charset="utf-8" > > > > I have an openconnect server where I can login with kerberos credentials > > (the > > vpn server basically also works as proxy to the kdc within said vpn - > more > > detailed description: > https://access.redhat.com/blogs/766093/posts/1976663 > > ) > > > > Now I can connect with a windows machine (using openconnect-gui) with my > > kerberos credentials. Which works. > > > > The next step shall be to use the gained ticket further for webservices > > within > > that vpn. How can I tell the browser (e.g. Firefox) to use the ticket > > gained > > by openconnect? Is there any way to achieve this? > > > > I also installed the MIT Kerberos Ticket Manager for Windows. Here > > (https:// > > > community.hortonworks.com/content/kbentry/28537/user-authentication-from- > > windows-workstation-to-hd.html > > < > http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html > >) > > is desribed that it is possible to use that > > Manager with firefox in order to authenticate to webservices. Although I > > haven't been able to accomplish that, would it be possible to tell MIT > > Kerberos Ticket Manager to use the Ticket of the vpn login? > > > > Is there already a 'usual way' to achieve something like sso via vpn with > > kerberos with windows clients? > > > > > > > > > > > > > > ------------------------------ > > > > _______________________________________________ > > Kerberos mailing list > > Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > End of Kerberos Digest, Vol 190, Issue 10 > > ***************************************** > > > > > -- > *Thanks & Regards,* > > > *Sanjay Kumar Sahu* > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
