I've an apache httpserver on centos 8. I've to protect a specific location with kerberos module and i'm using GSSAPI mod.
I've configured the kerberos client and the kinit test seems fine:
[root@test etc]# kinit -V
Using principal: HTTPS/test.com@MIODOMINIO.IT
Password for HTTPS/test.com@MIODOMINIO.IT:
Authenticated to Kerberos v5
[root@test etc]#
I need that a browser on a domain pc can access to my protected resource without asking credential. I've set the GSSAPI module in apache in this way:
<Location /kerb>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiSSLonly On
GssapiAllowedMech krb5
GssapiCredStore keytab:/etc/kerberosx2.keytab
BrowserMatch Windows gssapi-no-negotiate
GssapiLocalName On
GssapiBasicAuth Off
Require valid-user
</Location>
but when in a browser (internet explorer) I request the resoruce in apache log I've this error:
[Fri Dec 18 12:32:10.276925 2020] [auth_gssapi:debug] [pid 11188:tid 139970006206208] mod_auth_gssapi.c(895): [client 192.168.1.174:53678] URI: /kerb/kerb.html, no main, no prev [Fri Dec 18 12:32:10.276932 2020] [auth_gssapi:info] [pid 11188:tid 139970006206208] [client
192.168.1.174:53678] NO AUTH DATA Client did not send any authentication headers
I've put the site in local area safe site of internet explorer like I've found on web but with no result.
Any idea? it seems that browser even if is in domain doesn't sent the authentication headers.
thanks!
Thanks to all, I've reconfigure in a clean environment and now it works. I've test it both with gssapi-mod and the old kerb-mod for apache.
maybe there was some configuration error.
thanks
Please click the check mark to accept your own answer here.