Unable to authenticate using GSSAPI
Added by vbhoj almost 6 years ago
Hi,
I'm running lighttpd 1.4.45 on Debian 9.3 and installed lighttpd-mod-authn-gssapi. I'm trying to use Single Signon to authenticate users on an Active Directory domain, but I get the following error in the lighttpd logs whenever I navigate to my web page in any browser (Chrome, IE, Firefox) that is on the domain.
(mod_authn_gssapi.c.415) No confidentiality for user: xyz@QA.LOCAL
I've included the following in my lighttpd configuration file:
server.modules += ("mod_authn_gssapi")
auth.backend = "gssapi"
auth.backend.gssapi.principal = "HTTP/abc.qa.local@QA.LOCAL"
auth.backend.gssapi.keytab = "/config/my.keytab"
auth.require = ( "/" => ("method" => "gssapi", "realm" => "QA.LOCAL", "require" => "valid-user"))
I see in the browser debugging tools that the browser sends back an Authorization: Negotiate token in its response to the WWW-Authenticate challenge. I've also verified that I can successfully kinit the above principal on my Debian system with the keytab that's installed (and configured in lighttpd) and it should be using aes256-cts-hmac-sha1-96 encryption for the Kerberos tickets.
I'm not really sure how to debug/resolve this issue so any help would be greatly appreciated.
Thanks
Replies (8)
RE: Unable to authenticate using GSSAPI - Added by gstrauss almost 6 years ago
Just some context. (Sorry this is not a solution.)
lighttpd mod_authn_gssapi reports "No confidentiality for user" when GSS_C_CONF_FLAG is not set as result of call to gss_accept_sec_context().
https://tools.ietf.org/html/rfc1964
GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG, for which no corresponding context-level input indicator flags to GSS_Init_sec_context() exist, shall each be set to indicate whether their respective per-message protection services are available for use on the context being established.
https://tools.ietf.org/html/rfc/rfc2744
GSS_C_CONF_FLAG
True - Confidentiality service may be
invoked by calling the gss_wrap
routine
False - No confidentiality service (via
gss_wrap) available. gss_wrap will
provide message encapsulation,
data-origin authentication and
integrity services only.
RE: Unable to authenticate using GSSAPI - Added by gstrauss almost 6 years ago
See also #1899, from which mod_authn_gssapi originates.
RE: Unable to authenticate using GSSAPI - Added by vbhoj almost 6 years ago
Thanks for your response!
This may be out of scope of this forum, but do you know if there's a setting for the GSS_C_CONF_FLAG that needs to be enabled somewhere? I'm a little confused as to whether that flag needs to be set by the browser (in Windows) when providing the kerberos token in the request or whether the issue is on my Debian machine.
Thanks.
RE: Unable to authenticate using GSSAPI - Added by gstrauss almost 6 years ago
I did some research to attempt to give you a starting point for further efforts. Please do some research yourself and let us know what you find. (From the question you have asked, it is highly probable that you have made no other effort on your own.)
RE: Unable to authenticate using GSSAPI - Added by flyn almost 6 years ago
I am also trying to configure mod_authn_gssapi; I am using 1.4.48 in my case.
I seem to get one step beyond vbhoj:
2018-05-21 23:30:56: (mod_authn_gssapi.c.425) Unable to delegate credentials for user: myuser@EXAMPLE.COMI have configured Firefox as follows:
network.negotiate-auth.delegation-uris = https://www.example.com/
network.negotiate-auth.trusted-uri = https://My 20-auth.conf contains:
auth.backend = "gssapi"
auth.backend.gssapi.keytab = "/etc/lighttpd/keytab"
auth.backend.gssapi.principal = "HTTP/www.example.com@EXAMPLE.COM"auth.require = (
"/test" => (
"method" => "gssapi",
"realm" => "EXAMPLE.COM",
"require" => "valid-user"
),
)I created the Kerberos principal using:
kadmin> add_principal -randkey HTTP/www.example.com@EXAMPLE.COMand I produced the keytab with:
kadmin> ktadd -k keytab HTTP/www.example.com@EXAMPLE.COMI am presently looking at the MIT Kerberos principal attributes such as ok_as_delegate and ok_to_auth_as_delegate, but I have not yet found a combination which results in a working configuration.
RE: Unable to authenticate using GSSAPI - Added by vbhoj almost 6 years ago
As far as I can tell looking at the code from Chromium (https://github.com/chromium/chromium/blob/f18e79d901f56154f80eea1e2218544285e62623/net/http/http_auth_sspi_win.cc) and Firefox (https://dxr.mozilla.org/mozilla-central/source/extensions/auth/nsAuthSSPI.cpp), these browsers don't request for Confidentiality when calling the Windows SSPI function InitializeSecurityContext() (which I believe is the analogous to gss_init_sec_context()). They only appear to request delegation and mutual authentication.
So if I understand correctly, in this case the authentication token sent to the webserver would not have the confidentiality flag set and so the check that lighttpd performs for GSS_C_CONF_FLAG would fail.
I also tried looking up the mod_auth_gssapi and mod_auth_kerb code for Apache and don't see them testing for this flag.
Please let me know if I am misunderstanding this or still missing something.
Thanks.
RE: Unable to authenticate using GSSAPI - Added by flyn almost 6 years ago
In my case, I had been misusing network.negotiate-auth.delegation-uris. Setting it to .example.com fixed things for me. Sorry for the noise; I had thought perhaps my problem was related to yours because they both seemed related to Kerberos flags.
RE: Unable to authenticate using GSSAPI - Added by naxim almost 6 years ago
I have the same problem with "(mod_authn_gssapi.c.420) No confidentiality for user: user@MYDOMAIN.COM" on debian jessie
lighttpd -V
lighttpd/1.4.49 (ssl) - a light and fast webserver
+ Kerberos support
+ LDAP support
I generate my keytab for lighttpd on Windows 2012R2 by kpass command.
How I can resolve this problem?