Hello, I'm tryng to setup SSO from an AD client towards apache 2.4 on ubuntu 20.4LTS.
this is the enviroment: XXX.LOCAL is de Active directory domain zzz.it is the internet domain (with ssl wildcard certificate) dc1.xxx.local 172.16.3.18 is the Windows DC server, and the internal DNS server intranet.xxx.local 172.16.3.245 is the ubuntu server, In the DNS server there are 2 A records intranet.zzz.it 172.16.3.245 (in the forward search zone zzz.it) intranet.xxx.local 172.16.3.245 (in the forward search zone xx.it) and the relative PTR in the reverse zones That's because i'd like to use https connection with the ssl cerfificate for the *.zzz.it domain. Following a tutorial on https://sites.google.com/site/mrxpalmeiras/kerberos-sso-configuration, i (and after various searches and attempts) I took the following steps: 1) Setup /etc/krb5.conf on target server file /etc$ krb5.conf [logging] default = FILE:/var/log/apache2/log.krb5default admin_server = FILE:/var/log/apache2/log.krb5admin [libdefaults] default_realm = XXX.LOCAL [realms] XXX.LOCAL = { kdc = dc1.xxx.local admin_server = dc1.xxx.local } [domain_realm] intranet.zzz.it = XXX.LOCAL .zzz.it = XXX.LOCAL 2)Create a service principal in Active Directory and a keytab for apache authentication sudo msktutil --create --use-service-account --user-creds-only --service HTTP -s HTTP/intranet.zzz.it --keytab ./kerberos2.keytab --account-name kerberosintranet --hostname intranet.xxx.local --base 'OU=-Users' --no-pac --dont-expire-password --verbose 3)Setup the Apache web server on target server <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/ssl/certs/STAR_zzz_it.crt SSLCertificateKeyFile /etc/ssl/certs/wildcard2022.zzz.it.key SSLCertificateChainFile /etc/ssl/certs/STAR_zz_it.ca-bundle ServerAdmin ad...@zzzrn.it ServerName intranet.zzz.it DocumentRoot /dati/intranet Options +FollowSymLinks -Indexes CustomLog ${APACHE_LOG_DIR}/https443_access.log combined LogLevel debug ErrorLog ${APACHE_LOG_DIR}/https443_error.log Alias /topsecret/ "/dati/segreto/" <Directory "/dati/segreto/"> Options FollowSymLinks AllowOverride None AuthType Kerberos KrbAuthRealms XXX.LOCAL KrbServiceName HTTP Krb5Keytab /etc/winkerberos.keytab KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory> </VirtualHost> 4) Configure the user browser for automatic logon i have skipped this stap to have pop up asking for user & password. Now when i try to open https://zzz.it/topsecret/info.php (the only page in the folder) I got the popup for credential, but cannot login!! this is the error.log when i try to open the page: (stripped out date-time and pid for readability) [ssl:info] [client 172.16.0.222:12068] AH01964: Connection to child 4 established (server intranet.zzz.rn.it:443) [ssl:debug] ssl_engine_kernel.c(2372): [client 172.16.0.222:12068] AH02043: SSL virtual host for servername intranet.zzz.rn.it found [ssl:debug] ssl_engine_kernel.c(2372): [client 172.16.0.222:12068] AH02043: SSL virtual host for servername intranet.zzz.rn.it found [core:debug] protocol.c(2428): [client 172.16.0.222:12068] AH03155: select protocol from , choices=h2,http/1.1 for server intranet.zzz.rn.it [ssl:debug] ssl_engine_kernel.c(2254): [client 172.16.0.222:12068] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits) [ssl:debug] ssl_engine_kernel.c(415): [client 172.16.0.222:12068] AH02034: Initial (No.1) HTTPS request received for child 4 (server intranet.zzz.rn.it:443) [authz_core:debug] mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [auth_kerb:debug] src/mod_auth_kerb.c(1963): [client 172.16.0.222:12068] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [ssl:debug] ssl_engine_kernel.c(415): [client 172.16.0.222:12068] AH02034: Subsequent (No.2) HTTPS request received for child 4 (server intranet.zzz.rn.it:443) [authz_core:debug] mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] mod_authz_core.c(817): [client 172.16.0.222:12068] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [auth_kerb:debug] src/mod_auth_kerb.c(1963): [client 172.16.0.222:12068] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] src/mod_auth_kerb.c(1046): [client 172.16.0.222:12068] Using HTTP/intranet.zzz.rn.it@XXX.LOCAL as server principal for password verification [auth_kerb:debug] src/mod_auth_kerb.c(752): [client 172.16.0.222:12068] Trying to get TGT for user cedtm@XXX.LOCAL [auth_kerb:debug] src/mod_auth_kerb.c(662): [client 172.16.0.222:12068] Trying to verify authenticity of KDC using principal HTTP/intranet.zzz.rn.it@XXX.LOCAL [auth_kerb:debug] src/mod_auth_kerb.c(705): [client 172.16.0.222:12068] krb5_rd_req() failed when verifying KDC [auth_kerb:error] [client 172.16.0.222:12068] failed to verify krb5 credentials: Service key not available [auth_kerb:debug] src/mod_auth_kerb.c(1128): [client 172.16.0.222:12068] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL) I missing something, after a week of test and search i didn't came out, so hope someone can help me! Thank's Marco
