Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1251: Apache Kerberos (SSO) authentication may not work after upgrading to DirectControl 4.2.x from a previous release

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: Centrify DirectControl 4.2.x and all versions of the Centrify Apache module

Problem:

After upgrading from a previous version of
DirectControl to DirectControl 4.2.x, performing an adleave and adjoin will affect the Apache module's Kerberos (SSO) authentication. You might see the following errors in the Apache error log:

[Mon Apr 13 17:00:47 2009] [error] [client 172.27.23.169] User failed authentication for /corpintranet/index.files/styles-3.css: failed Kerberos validation: General Failure, referer: http://lmrhel51.centrify.seng/corpintranet/index.shtml

and corresponding debug messages in centrifydc.log
Apr 13 17:00:47 lmrhel51 adclient[31257]: DEBUG <fd:10 CAPIAuthValidateKerberosUser> base.aduser Opening Kerberos keytab = 
'WRFILE:/etc/krb5.keytab'
Apr 13 17:00:47 lmrhel51 adclient[31257]: DEBUG <fd:10 CAPIAuthValidateKerberosUser> util.except cims::SystemException error decoding
kerberos request (reference base/aduser.cpp:1432 rc: -1765328203)
Apr 13 17:00:47 lmrhel51 adclient[31257]: DEBUG <fd:10 CAPIAuthValidateKerberosUser> daemon.ipcclient doCAPIAuthValidateKerberosUser:
CIMS Exception: error decoding kerberos request
Cause:

This occurs if there are no HTTP keytab entries in /etc/krb5.keytab

Workaround:

There are a couple of workarounds:

Workaround1
---------------------

1) Perform an adleave.
2) Open /etc/centrifydc/centrifydc.conf and search for "adclient.krb5.service.principals". You might find more than one entry, make sure to edit the one that is uncommented.

If the adclient.krb5.service.principals parameter is missing, add http to it. See the example below:

[root@rhel3 reg]# grep cifs /etc/centrifydc/centrifydc.conf
adclient.krb5.service.principals: http ftp cifs nfs

Save the file.

3) Perform an adjoin.
4) Run the following command as root to ensure that HTTP entries are now in krb5.keytab:

[root@rhel3 reg]# klist -kte | grep -i http

5) Restart apache.
6) Logout and log back into Windows and check that Kerberos authentication to the Web site works as desired. If not, contact Centrify support.

Workaround 2:
----------------------

1) Open /etc/centrifydc/centrifydc.conf and search for "adclient.krb5.service.principals". You might find more than one entry, make sure to edit the one which is uncommented.

If the parameter adclient.krb5.service.principals is missing, please add http to it. See the example below:

[root@rhel3 reg]# grep cifs /etc/centrifydc/centrifydc.conf
adclient.krb5.service.principals: http ftp cifs nfs

Save the file.

2) Without doing another adleave / adjoin operation, you can add the missing SPNs by running the following command as root:

adkeytab -a -P NAME/hostname -P NAME/hostname.domain.name

where NAME is the desired service principal (http, ftp, cifs, nfs, etc..). For this, use http for NAME.

 

3) Run the command as root to ensure that HTTP entries are now in krb5.keytab:

[root@rhel3 reg]# klist -kte | grep -i http

4) Restart apache.
5) Logout and log back into the Windows desktop and check that Kerberos authentication to the Web site works as desired. If not, contact Centrify support.

 

Resolution:

This will be fixed in a future release of DirectControl.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.