[rt-users] SSO fallback to RT Login failure

Myrat Saparow muratsaparow at gmail.com
Mon Feb 2 02:51:20 EST 2015 

Hello,

I have been trying to implement SSO on our RT test enviroment, the SSO
login from machines that are authenticated by our dc works fine but I can't
get it to fall back to RT login when SSO fails. I constantly get the
"Unauthorized" page from Apache instead.

Can someone help me with configuring falling back to RT login?

*Environment:*
Ubuntu Server 14.01
RT 4.2.9
Apache2
mod_auth_kerb + krb5

Relevant config file entries

*RT_Siteconfig.pm*

Set( $WebRemoteUserAuth, 1);
Set( $WebRemoteUserInfo, 1);
Set( $WebRemoteUserContinuous, 1);
Set( $WebFallbackToRTLogin, 1);
Set( $WebRemoteUserAutocreate, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });


*/etc/apache2/sites-available/rt.conf*

 <Location />
  AuthType Kerberos
  Krb5Keytab /etc/apache2/http.keytab
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbLocalUserMapping on
  Require valid-user
  Require ip 127.0.0.1
  AllowOverride None
 </Location>

*/var/log/apache2/error.log*

[Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid
140437369087744] [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child
10 established (server rt.server:443)
[Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(520): AH00835: socache_shmcb_retrieve
(0xc1 -> subcache 1)
[Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, data=0
[Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
socache_shmcb_retrieve successfully
[Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid
140437369087744] ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832]
AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits)
[Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid
140437369087744] ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832]
AH02034: Initial (No.1) HTTPS request received for child 10 (server
rt.server:443)
[Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require valid-user : denied (no
authenticated user yet)
[Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require ip 127.0.0.1: denied
[Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of <RequireAny>: denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid
140437360695040] ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832]
AH02034: Subsequent (No.2) HTTPS request received for child 10 (server
rt.server:443)
[Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require valid-user : denied (no
authenticated user yet)
[Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require ip 127.0.0.1: denied
[Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of <RequireAny>: denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
Acquiring creds for HTTP at rt.server
[Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
Verifying client data using KRB5 GSS-API
[Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
Client didn't delegate us their credential
[Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832]
Warning: received token seems to be NTLM, which isn't supported by the
Kerberos module. Check your IE configuration.
[Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832]
GSS-API major_status:00010000, minor_status:00000000
[Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid
140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context()
failed: An unsupported mechanism was requested (, Unknown error)


Best Regards,
Myrat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150202/daea1d14/attachment.htm>

More information about the rt-users mailing list