[rt-users] SSO fallback to RT Login failure

Mon Feb 2 16:07:27 EST 2015

On Mon, Feb 02, 2015 at 07:51:20AM +0000, Myrat Saparow wrote:
> I have been trying to implement SSO on our RT test enviroment, the SSO login
> from machines that are authenticated by our dc works fine but I can't get it to
> fall back to RT login when SSO fails. I constantly get the "Unauthorized" page
> from Apache instead.

I believe you want to read up on the Satisfy directive.
There's some additional docs here:
https://bestpractical.com/docs/rt/latest/authentication
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy

-kevin

> Can someone help me with configuring falling back to RT login?
> 
> Environment:
> Ubuntu Server 14.01
> RT 4.2.9
> Apache2
> mod_auth_kerb + krb5
> 
> Relevant config file entries
> 
> RT_Siteconfig.pm
> 
> Set( $WebRemoteUserAuth, 1);
> Set( $WebRemoteUserInfo, 1);
> Set( $WebRemoteUserContinuous, 1);
> Set( $WebFallbackToRTLogin, 1);
> Set( $WebRemoteUserAutocreate, 1);
> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });
> 
> 
> /etc/apache2/sites-available/rt.conf
> 
>  <Location />
>   AuthType Kerberos
>   Krb5Keytab /etc/apache2/http.keytab
>   KrbMethodNegotiate on
>   KrbMethodK5Passwd off
>   KrbLocalUserMapping on
>   Require valid-user
>   Require ip 127.0.0.1
>   AllowOverride None
>  </Location>
> 
> /var/log/apache2/error.log
> 
> [Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid 140437369087744]
> [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
> (server rt.server:443)
> [Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
> 140437369087744] mod_socache_shmcb.c(520): AH00835: socache_shmcb_retrieve
> (0xc1 -> subcache 1)
> [Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
> 140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, data=0
> [Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
> 140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
> socache_shmcb_retrieve successfully
> [Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid 140437369087744]
> ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041: Protocol:
> TLSv1, Cipher: RC4-SHA (128/128 bits)
> [Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid 140437369087744]
> ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial (No.1)
> HTTPS request received for child 10 (server rt.server:443)
> [Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
> 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require valid-user : denied (no authenticated user yet)
> [Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
> 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require ip [1]127.0.0.1: denied
> [Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
> 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of <RequireAny>: denied (no authenticated user yet)
> [Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
> 140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid 140437360695040]
> ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Subsequent
> (No.2) HTTPS request received for child 10 (server rt.server:443)
> [Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
> 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require valid-user : denied (no authenticated user yet)
> [Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
> 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require ip [2]127.0.0.1: denied
> [Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
> 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of <RequireAny>: denied (no authenticated user yet)
> [Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
> Acquiring creds for HTTP at rt.server
> [Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
> Verifying client data using KRB5 GSS-API
> [Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
> Client didn't delegate us their credential
> [Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832]
> Warning: received token seems to be NTLM, which isn't supported by the Kerberos
> module. Check your IE configuration.
> [Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832]
> GSS-API major_status:00010000, minor_status:00000000
> [Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid
> 140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context() failed:
> An unsupported mechanism was requested (, Unknown error)
> 
> 
> Best Regards,
> Myrat
> 
> References:
> 
> [1] http://127.0.0.1/
> [2] http://127.0.0.1/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 221 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150202/dc28edb7/attachment.sig>