Kerberos/Apache receiving Active Directory user/password in plain text
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Kerberos/Apache receiving Active Directory user/password in plain text
by LUISRAMOS
::
Rate this Message:
Hi all,
We have a unix web server with Apache were we installed kerberos to implement single sign on. The idea with this is to have the ability of autenticating through the Windows Active Directory once not needing to log again in the unix box. After the setup, the autentication works. When we log in to the unix server, a popup window asks for user/pwd. After entering user/pwd the credentials are autenticated against the windows active directory and the access to the unix/apache box is granted. However, what we want is to avoid this login popup. We noticed that when the popup window is displayed the following message is seeing in the popup: "Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection). Looks like the internet browser is sending the credentials in plain text to the unix box. Anybody has an idea on how we can configure Kerberos, or any other component to avoid this popup window. Thanks in advance |
|
|
|
|
|
Re: Kerberos/Apache receiving Active Directory user/password in plain text
by LUISRAMOS
::
Rate this Message:
============================ Michael, I changed the parameter and got this message: Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. -------------------------------------------------------------------------------- Apache/2.0.52 (Unix) DAV/2 mod_auth_kerb/5.4 Server at prcognosweb Port 80 |
|
|
|
|
|
Re: Kerberos/Apache receiving Active Directory user/password in plain text
by LUISRAMOS
::
Rate this Message:
We tried using the GSS module and it worked smoothly for Solaris 10, since the apache for this solaris version brings all the needed modules off the shelf. However, we havent been able to make it work in Solaris 9, looks like we might be having an issue with the libraries needed to replicate the same components Solaris 10 has. When we look at the error logs for Solaris 9 this is what we get.
Client wants GSS mech: <unknown> For Solaris 10, which it works nicely this is the meesage: Client wants GSS mech: spnego We are testing different alternatives with the compilation of the gss module to see what could we be missing. Regards
|
|
|
Re: Kerberos/Apache receiving Active Directory user/password in plain text
by Douglas E. Engert
::
Rate this Message:
LUISRAMOS wrote: > We tried using the GSS module and it worked smoothly for Solaris 10, since > the apache for this solaris version brings all the needed modules off the > shelf. However, we havent been able to make it work in Solaris 9, looks > like we might be having an issue with the libraries needed to replicate the > same components Solaris 10 has. When we look at the error logs for Solaris > 9 this is what we get. > > Client wants GSS mech: <unknown> > > For Solaris 10, which it works nicely this is the meesage: > > Client wants GSS mech: spnego > > We are testing different alternatives with the compilation of the gss module > to see what could we be missing. > Solaris 9 is pretty old, and Sun did not expose the Kerberos API. We always used the MIT Kerberos on Solair 9. Solaris 10 is much better, and Sun keeps it more up to date, and has exposed the Kerberos API. If you are not on the modauthkerb-help@... you should be. There is a Solaris discussion going on there. > Regards > > > > Michael Ströder wrote: >> LUISRAMOS wrote: >>> Michael Ströder wrote: >>>> LUISRAMOS wrote: >>>>> We have a unix web server with Apache were we installed kerberos to >>>>> implement single sign on. >>>> I guess you're using mod_auth_kerb? >>>> >>>>> The idea with this is to have the ability of autenticating through the >>>>> Windows Active Directory once not needing to log again in the unix box. >>>>> After the setup, the autentication works. When we log in to the unix >>>>> server, a popup window asks for user/pwd. After entering user/pwd the >>>>> credentials are autenticated against the windows active directory and >>>>> the access to the unix/apache box is granted. However, what we want is >>>>> to avoid this login popup. We noticed that when the popup window is >>>>> displayed the following message is seeing in the popup: "Warning: This >>>>> server is requesting that your username and password be sent in an >>>>> insecure manner (basic authentication without a secure connection). >>>>> Looks like the internet browser is sending the credentials in plain >>>>> text to the unix box. >>>>> >>>>> Anybody has an idea on how we can configure Kerberos, or any other >>>>> component to avoid this popup window. >>>> Set "KrbMethodK5Passwd off" in httpd.conf. >>>> >>>> See also: http://modauthkerb.sourceforge.net/configure.html >>> Michael, I changed the parameter and got this message: >>> >>> Authorization Required >>> This server could not verify that you are authorized to access the >>> document >>> requested. Either you supplied the wrong credentials (e.g., bad >>> password), >>> or your browser doesn't understand how to supply the credentials >>> required. >> Well, you have to set up your environment to let the browser use >> SPNEGO/Kerberos. >> >> Ciao, Michael. >> ________________________________________________ >> Kerberos mailing list Kerberos@... >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert <DEEngert@...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
| Free embeddable forum powered by Nabble | Forum Help |
