Hey List,
I have been setting up SSO on our Intranet Apache server. All seems well, I think I have just about cracked it but it seems a little rough around the edges;
I enabled auth_mod_kerb, and created a test directory in my web root (/secure) and added a directory directive under the httpd.conf, I created a user in Active Ditectory, used ktpass.exe to map the user to the service principal and put the key tab on the Apache server and all seems well.
I am testing this with FireFox and Internet Explorer (Both on Windows XP Pro SP3 Client). FireFox works only with the FQDN of the Intranet server (and not just http://hostname/secure, this gives an authentication error), and only with our domain name set in "network.negotiate-auth.delegation-uris" and in "network.negotate-auth.trusted-uris".
Internet Explorer however only works with http://hostname/secure and not f.q.d.n/secure? (Integrate with Windows Authentication IS enabled).
Obviously as this point the reason I am posting here is because I am trying to eliminate the reasons for this. If it is a client side problem I need to seeks some more savvy IE/Windows users maybe but I am posting here to enquire if anyone has any thoughts about it possibly being DNS related or some sort of server misconfiguration?
uname -a Linux hades.nr5project.co.uk 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:19:18 EDT 2009 i686 i686 i386 GNU/Linux
Apache/2.2.11 (Unix) mod_auth_kerb/5.4 DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Thanks for reading.
James Bensley wrote on Thu, 17 Dec 2009 09:46:00 +0000:
Internet Explorer however only works with http://hostname/secure and not f.q.d.n/secure? (Integrate with Windows Authentication IS enabled).
That is because your FQDN is detected as Internet zone and that will not use Windows Authentication (for obvious reasons). That authentication is done only in the Local Intranet zone. You can see that if you look in the security settings of IE. (Do not change them!) IE should automatically detect that this FQDN is part of your Intranet with the "automatically detect" setting if your AD is setup correctly. If you can't make this work, you can disable the automatic detection and then add FQDNs manually to the Local Intranet zone. Of course, this makes sense only if you have a few machines.
Kai