Solution for GSS-API major_status:00090000, minor_status:861b6d0c

Problem: You are trying to configure mod_auth_kerb to work with Active Directory. You have created the technical user account "yourserver" for HTTP service in AD and associated it with the Kerberos SPN HTTP/your.server.com@YOURDOMAIN.COM using ktpass.exe. When accessing the page which requires Kerberos auth with IE, you see the following error messages in Apache error log (after raising LogLevel to debug):
[client nnn.nnn.nnn.nnn] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
src/mod_auth_kerb.c(1101): [client nnn.nnn.nnn.nnn] GSS-API major_status:00090000, minor_status:861b6d0c
[client nnn.nnn.nnn.nnn] gss_accept_sec_context() failed: A token was invalid (, Unknown code)
You have checked your IE (or Firefox) configuration and are pretty sure that the browser should be sending a Kerberos ticket instead of attempting NTLM authentication.

Solution: First apply some more diagnostics:
  1. Check if the command
    kvno HTTP/your.server.com@YOURDOMAIN.COM
    gives you this message: "HTTP/your.server.com@YOURDOMAIN.COM: Server not found in Kerberos database while getting credentials". If yes, you likely have the problem described here.
  2. On the Windows AD server check the output of setspn -l yourserver. Does it appear like so?
    Registered ServicePrincipalNames for CN=yoursever,OU=Service Accounts,OU=Accounts,DC=yourdomain,DC=com:
            HTTP/your.server.com@YOURDOMAIN.COM
    If yes, then you likely have the problem described here. The domain suffix highlighted in red should not appear in the command's output in a correct configuration.
To fix the incorrect SPN association, use the following commands on AD server:
setspn -d HTTP/your.server.com@YOURDOMAIN.COM yourserver
setspn -A HTTP/your.server.com yourserver

No comments:

Post a Comment