Problems appear when accessing Kerberos protected site by IP address. For example:
http:/10.10.1.x:3001/ gives failure.
http:/my-host:3001/ sso is completes successfully.
Apache error logs say:
src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)
src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned code 0
As you could see Kerberos tries to find HTTP@10.10.1.x or HTTP@my-host principals. For both principals created dummy accounts in ActiveDirectory. In keytab file also included both of them:
KVNO Timestamp Principal
---- ----------------- -----------------------------------------------------
5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
Kinit works for both of them.
Kerberos config on server:
Krb5Keytab /etc/krb5.keytab
AuthType Kerberos
KrbMethodNegotiate On
AuthName "Kerberos Login"
KrbAuthRealms MY_DOMAIN.LAN
KrbVerifyKDC Off
KrbMethodK5Passwd On
Require valid-user
Someone could guess where the problem is? Is it possible to use IP address in Kerberos SSO?
Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.