CentOS - Dec 2009 - Apache + auth_mod_kerb + Active Directory = SSO

Hey List,

I have been setting up SSO on our Intranet Apache server. All seems
well, I think I have just about cracked it but it seems a little rough
around the edges;

I enabled auth_mod_kerb, and created a test directory in my web root
(/secure) and added a directory directive under the httpd.conf, I
created a user in Active Ditectory, used ktpass.exe to map the user to
the service principal and put the key tab on the Apache server and all
seems well.

I am testing this with FireFox and Internet Explorer (Both on Windows
XP Pro SP3 Client). FireFox works only with the FQDN of the Intranet
server (and not just http://hostname/secure, this gives an
authentication error), and only with our domain name set in
"network.negotiate-auth.delegation-uris" and in
"network.negotate-auth.trusted-uris".

Internet Explorer however only works with http://hostname/secure and
not f.q.d.n/secure? (Integrate with Windows Authentication IS
enabled).

Obviously as this point the reason I am posting here is because I am
trying to eliminate the reasons for this. If it is a client side
problem I need to seeks some more savvy IE/Windows users maybe but I
am posting here to enquire if anyone has any thoughts about it
possibly being DNS related or some sort of server misconfiguration?

uname -a
Linux hades.nr5project.co.uk 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1
09:19:18 EDT 2009 i686 i686 i386 GNU/Linux

Apache/2.2.11 (Unix) mod_auth_kerb/5.4 DAV/2 mod_ssl/2.2.11
OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4
Perl/v5.10.0

Thanks for reading.
-- 
Regards,
James ;)

Charles de Gaulle  - "The better I get to know men, the more I find
myself loving dogs." -
http://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html

James Bensley wrote on Thu, 17 Dec 2009 09:46:00 +0000:
> Internet Explorer however only works with http://hostname/secure and
> not f.q.d.n/secure? (Integrate with Windows Authentication IS
> enabled).
That is because your FQDN is detected as Internet zone and that will not 
use Windows Authentication (for obvious reasons). That authentication is 
done only in the Local Intranet zone. You can see that if you look in the 
security settings of IE. (Do not change them!) 
IE should automatically detect that this FQDN is part of your Intranet 
with the "automatically detect" setting if your AD is setup correctly.
If
you can't make this work, you can disable the automatic detection and then 
add FQDNs manually to the Local Intranet zone. Of course, this makes sense 
only if you have a few machines.


Kai

-- 
Kai Sch?tzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com