When I go web_site_address/user/login/sso I get a message stating "You were not authenticated by the server. You may log in with your credentials below"
Upon reviewing the Drupal DB logs I get the following message $_SERVER['REMOTE_USER'] not found.
Within the Drupal LDAP module I have defined all the details for the active directory the containers and user detail under the authentication area I have ticked the following boxes
"Strip REMOTE_USER domain name"
&
"Turn on automated single sign-on"
I have cookie lifetime set to 1 week
and the authentication mechanism to mod_auth_kerb
I am running on Oracle Linux 6 with Tomcat 6.0.35 and Apache 2.2
I have performed the following steps to get to this point above these are:
$ yum install krb5-devel
$ yum install krb5-libs
$ yum install krb5-workstation
$ cd /etc
$ vi krb5.conf
I add the following to the krb5.conf file
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24hr
renew_lifetime = 7d
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
default_realm = DOMAIN-NAME
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN-NAME = {
kdc = domain-controller-address
master_kdc = domain-controller-address
admin_server = domain-controller-address
kpasswd = domain-controller-address
kpasswd_server = domain-controller-address
}
[domain_realm]
.domain-name = DOMAIN-NAME
domain-name = DOMAIN-NAME
[appdefaults]
kinit = {
renewable = true
forwardable = true
}
using the kinit command i am able to enter a password at this point and it authenticates as I get no error messages and returns to prompt $
$ cd /usr/local/apache2/conf
$ vi httpd.conf
I then change the servername to be the IP of the server and add
UseCanonicalName On
$ yum install mod_auth_kerb
$ cd /etc/httpd/conf.d
$ vi auth_kerb.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
Location /var/www/vhosts/site-name
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN-NAME
Krb5KeyTab /etc/krb5.keytab
KrbSaveCredentials On
require valid-user
Location
I got the sysadmins to use the ktpass command to tie user (ldap_reader) to service principal and applied the keytab file generated to /etc/krb5.keytab
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap_reader@DOMAIN-NAME
Valid starting Expires Service principal
09/07/12 12:50:07 09/07/12 22:50:27 krbtgt/AGRIC@DOMAIN-NAME
renew until 09/14/12 12:50:07
$ klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HTTP/ldap_reader.domain-here@DOMAIN-HERE
I then stopped and started the apache service
I then made the following configurations to firefox
as an address i entered about:config
I then performed a search for network.negotiate-auth.trusted-uris and set the value to the domain name.
Any help to get SSO working for Drupal would be greatly appreciated. These are the steps I have performed so far, if you require any further information let me know.
Comments
Comment #0.0
mscully CreditAttribution: mscully commentedsome stuff was missing when i posted original message
Comment #0.1
mscully CreditAttribution: mscully commentedsome more inputs didn't appear in message
Comment #2
madmartigan CreditAttribution: madmartigan commentedUpdated - managed to resolve this issue ( I work at same company)
Downloaded the source for latest version of mod_auth_kerb (http://modauthkerb.sourceforge.net/install.html) and followed install option.
Then the problem was that the ktpass needed to be created with the correct hostname of the linux box
with also the reverse dns PTR record pointing back to the fqdn ( DNS updated by sysadmins).
The following article that helped and I recommend for others to first read is http://www.grolmsnet.de/kerbtut/
this gives you the info about reverse DNS and examples of the ktpass command required and a detailed wakthrough.
Every enviornment is different and we all may have slightly different problems, but this should give you the guidance required.
Hope that helps others.
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedThis should be worked into the sso documentation also. Tagging as such.
Comment #4.0
(not verified) CreditAttribution: commentedsome more information didn't appear in post needed to fix this.
Comment #5
duke786 CreditAttribution: duke786 commentedI just followed all steps you have mentioned in this post as well as following links you have mentioned on this post. I must say it was very useful to follow for beginner in DRUPAL as well as in CENTOS.
I have encounter am error message:
[Mon Dec 23 05:44:52 2013] [error] [client private IP] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, )
[Mon Dec 23 05:50:21 2013] [error] [client public IP] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, ), referer: http://dns(A)record.my-domain.co.uk/admin/settings/ldap/sso
This above message appears as soon as I enable ALIAS under HTTPD.conf
Alias /sso/ "/var/www/test/"
AuthType Kerberos
KrbAuthRealms MY-DOMAIN.LOCAL
KrbServiceName HTTP
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
When I browse site in chrome its giving me 500 error and in Mozilla 401.
please help....