OTRS 3.1 - SSO with kerberos auth and ldap

Moderator: crythias

Post Reply
Romaing
Znuny newbie
Posts: 60
Joined: 30 Mar 2012, 15:20
Znuny Version: 3.1.5

OTRS 3.1 - SSO with kerberos auth and ldap

Post by Romaing »

Hello,

I've been trying to get single sign on to work for both agents and customers. As of right now: doesn't work for both :D

This tutorial is the one i've been trying to follow: http://ingenious-excerpts.blogspot.fr/2 ... -with.html
Except that i haven't compiled moth_auth_kerb, just installed it from apt-get (through apt-get install samba smbfs libapache2-mod-auth-kerb) and haven't done the .htaccess part as i don't need to block either one of the 'parties'

I got the LDAP part (works for both)
I can do a kinit username@DOMAIN.LOCAL for both agents and users (asks for password, then nothing which is good right ?)

So i add the following to the config.pm

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
with or without these lines

Code: Select all

$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@BBB.LOCAL';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@BBB.LOCAL';
and all i ever get is:
[Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 192.168.X.X).
May 14 17:23:28 otrs OTRS-CGI-10[11294]: [Error][Kernel::System::User::UserLookup][Line:769]: Need UserLogin or UserID!
Do you guys see anything obvious here ? Is he right to say that everything can be done from linux ? i haven't touched the windows server at all here.
Also, the machines are all windows 7 and a 2008 server
OTRS 3.1.5 on Ubuntu 12.04
Database: MySQL
Module: FAQ
Romaing
Znuny newbie
Posts: 60
Joined: 30 Mar 2012, 15:20
Znuny Version: 3.1.5

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Romaing »

Any help on this ?

I've been trying with PBIS (new version of likewise-open) which is supposed to be a much easier alternative to winbind. It takes care of kerberos setup.

Still stuck though: 'ive explained everything here: => http://forum.beyondtrust.com/viewthread/31764/

Also tried setting up manually samba and winbind with kerberos but i'm getting nowhere. :(

[edit]: somethind i don't get is that even if i manually create a ticket for my user (kinit user...)
then do a klist i'll get
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: usertest@COMPANY.LOCAL

Valid starting Expires Service principal
05/19/12 18:40:47 05/20/12 04:40:54 krbtgt/COMPANY.LOCAL@COMPANY.LOCAL
renew until 05/20/12 18:40:47
But it doesn't change anything with OTRS, same error as before if i go to customer.pl page with that usertest
OTRS 3.1.5 on Ubuntu 12.04
Database: MySQL
Module: FAQ
Romaing
Znuny newbie
Posts: 60
Joined: 30 Mar 2012, 15:20
Znuny Version: 3.1.5

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Romaing »

up

so still not ready to give up on this, progress has been made. Hopefully someone can just help me understand some "final" things... :?

Forget my second post, I've gone back to trying with 'proper' samba and kerberos packages, not fancier tools with their own way of doing things... (also tried centrify)

I got these tutorials for reference:
http://acksyn.org/diary/?p=460
http://ingenious-excerpts.blogspot.fr/2 ... -with.html
http://wiki.otterhub.org/index.php?titl ... ith_Apache

I got a stock otrs install based on this: http://wiki.otterhub.org/index.php?titl ... ynx_(10.4)

so i access right now my otrs install by typing: http://192.168.1.106/otrs/customer or index.pl
typing the 192.168.1.106 only displays the "it works" apache message info.

So i tried to follow this one: http://acksyn.org/diary/?p=460
Because it covers samba joining to the AD, unlike the second, and less settings to make a mistake too...

my process is:

Code: Select all

apt-get install libapache2-mod-auth-kerb krb5-config krb5-clients krb5-user samba-client

Code: Select all

nano /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab

[realms]
company.local = {
kdc = ad1.company.local
master_kdc = ad1.company.local
admin_server = ad1.company.local
default_domain = company.local
}

[domain_realm]
.company.local = COMPANY.LOCAL
company.local = COMPANY.LOCAL

Code: Select all

nano /etc/samba/smb.conf
netbios name = otrs
realm = COMPANY.LOCAL
security = ADS
encrypt passwords = yes
password server = ad1.company.local
workgroup = COMPANY

Code: Select all

net ads keytab add HTTP -U administrateur

Code: Select all

chmod 740 /etc/krb5.keytab 
chgrp www-data /etc/krb5.keytab

Code: Select all

a2enmod auth_kerb
(says it's already loaded)

Code: Select all

nano /etc/apache2/conf.d/otrs.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /otrs>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms COMPANY.LOCAL
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
Now what this gives me is that when i go to http://ip/otrs/customer.pl the web browser asks for the kerberos login. then i can type a active directory user id+password, to be then logged on to otrs (so the otrs logon page does get bypassed).
It's already better BUT useless since i can type any user id and i'll get connected with its account. The point is being forced to be logged in otrs with same account used for win7 logon.

Then, i tried with this more complex setup, in case i missed something
http://ingenious-excerpts.blogspot.fr/2 ... -with.html

for that i installed winbind, since some of the config options do mention winbind settings. And i filled in everything that was missing between the somewhat working config and this one. (not gonna copy paste everything, these are just the altered files):
/etc/samba/smb.conf
/etc/apache2/conf.d/otrs.conf
/etc/krb5.conf
/etc/apache2/httpd.conf

result is: no change at all !! (tried rebooting in case of)

So, looking more and more.
I end up here: http://pix-mania.dyndns.org/mediawiki/i ... ization.29

where i see they use these settings in apache config
#LDAP => authorization
AuthLDAPURL ldap://<ip_ldap_server>:389/<DC>?sAMAccountName
AuthLDAPBindDN <DN>
AuthLDAPBindPassword <password>
Require ldap-group <DN_group>
So i've been trying to add these settings but apache always refuse to restart because of a either a mistake in the AuthLDAPURL line or a paquet missing (and i've tried many, many ways for correct syntax).

Any help please ? I've spent the last 3 days on this :(
OTRS 3.1.5 on Ubuntu 12.04
Database: MySQL
Module: FAQ
fizze
Znuny newbie
Posts: 1
Joined: 07 Mar 2013, 12:50
Znuny Version: ITSM Bundle 3.1

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by fizze »

I'm the author of one of the referenced tutorials, and as still see some traffic from here, so I thought to stop by.

I haven't tried to get SSO going for customers AND agents. But it's an intriguing thought. Did anyone succeed?
Antimidas
Znuny newbie
Posts: 3
Joined: 11 Mar 2013, 18:48
Znuny Version: 3.2.2
Real Name: Marty Hillman
Company: Equus

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Antimidas »

Hi fizze. I just found this article and have been searching for a week as the previous poster was apparently doing. It is late in the day, so I will not be able to test out your steps until tomorrow, but now at least I have the link to your tutorial. I will log and report my experiences and let you know of any suggested changes or points of clarifications that I find.

I had worked with the LDAP authentication, but had issues with it last week. Today, I have spent most of the time playing around with creating a demo domain with user accounts for integration between Ubuntu and active directory. I finally have that set up with likewise and had to add the following to the sudoers file for it to work. The ^ character was important for spaces in group names (rather than a backslash followed by a space).

%DEMO\\Domain^Admins ALL=(ALL) ALL

Though not important to OTRS, I can now use a Domain Admin account to sudo anything needed on the backend. And it proves authentication against AD. I will try the steps in this chain as well as the tutorial and report back.
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by crythias »

I want to share my experience with kerberos/sso and the heck I went through until I realized I had multiple SPNs attached.
in a windows client that has setspn,

Code: Select all

setspn -T * -X
This will show all duplicate SPNs. If one is your otrs server, use setspn -D to delete "bad" ones.

This is the relevant part of my otrs.conf:

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
AuthType Kerberos
AuthName "Something interesting"
Krb5Keytab mykeytabfile.keytab
KrbAuthRealms THE-REALM-IN-krb5.conf
KrbMethodNegotiate on
KrbSaveCredentials off
Require valid-user
    Options +ExecCGI -Includes
    Order allow,deny
    Allow from all
</Directory>
This is my relevant krb5.conf:

Code: Select all

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        default_realm = MYREALM
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        MYREALM = {
                kdc = domaincontroller.domain.local
                kdc = domaincontroller2.domain.local
                kdc = domaincontroller3.domain.local
                admin_server = masterdomaincontroller.domain.local
                default_domain = MYDOMAIN
        }
[domain_realm]
        .domain.local = MYREALM
        domain.local = MYREALM

[login]
        krb4_convert = true
        krb4_get_tickets = false
If not joining the domain, use a username for the spn to create keytab.
*** This is important: Choose only one method to create the spn. If you go the username route, use only one name. If you go the join/ads create keytab route, use THAT keytab and spn.
Windows Event ID 11 on your DC means you've got multiple SPNs, so you will be prompted for password until you resolve it.

with httpBasicAuth in Config.pm, I was able to connect without password to both /index.pl and /customer.pl

This is my Config.pm changes:

Code: Select all

$Self->{LoginURL} = 'http://ticketing/otrs-web/notauthd.html';
$Self->{LogoutURL} = 'http://ticketing/otrs-web/goodbye.html';

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@MYDOMAIN.LOCAL';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@MYDOMAIN.LOCAL';
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by crythias »

I had to revisit this for a new/migrated install. Once you create a keytab, you can use it wherever you put it. You just need to use one of the entries within the keytab as the KrbServiceName

Also, note that the otrs apache-httpd-include.conf has a IfVersion >= 2.4 that really ruined my day for this sso.

Within <Directory "/opt/otrs/bin/cgi-bin/">
find and change

Code: Select all

        <IfVersion >= 2.4>
            #Require all granted
        </IfVersion>
Otherwise, this grants permissions without password. Since you're using SSO, this ignores it. It took me a long time to figure out the problem.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
pgmartinez1
Znuny newbie
Posts: 22
Joined: 05 Oct 2015, 16:18
Znuny Version: 5.0.12
Real Name: Pablo Martinez
Company: CONICET

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by pgmartinez1 »

I leave my configuration file, in case you find it useful

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes
	<Files "index.pl">
		Authtype CAS
		require valid-user
	</Files>
	<Files "customer.pl">
		AuthType Kerberos
		AuthName "Kerberos AUTH"
		KrbMethodNegotiate On
		KrbMethodK5Passwd On
		KrbServiceName HTTP/serverfqdn
		Krb5Keytab /etc/httpd/conf.d/kerberos.keytab
		Require valid-user
	</Files>
	<IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>
Prod > Centos 7.2 / OTRS 5.0.12 / LDAP SSO for customers / CAS SSO for Agents / OCS Integration / PHPFreeChat / Nagios Monitor
Dev > Centos 7.2 / OTRS 5.0.13
swap1154
Znuny newbie
Posts: 1
Joined: 18 Aug 2016, 10:02
Znuny Version: 5.06 on Centos 6.4
Real Name: Swapnil Shinde

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by swap1154 »

Hi Pablo,

Can we have some more steps you have followed to get this auto login done, we are kinda breaking our heads to do the same.

OTRS-5.07.
Centos-6.7
zip
Znuny advanced
Posts: 103
Joined: 02 Jan 2014, 12:32
Znuny Version: 5.0.9

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by zip »

How i did it:

1) Create a AD user
2) Set SPN and create keytab as described in https://tomcat.apache.org/tomcat-7.0-do ... howto.html
3) Copy the keytab to your linux server
4) Install packages, step 2, step 3 from http://funwithlinux.net/2013/05/centos- ... os-ad-sso/
5) Complete your krb5.conf file:

Code: Select all

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = EXAMPLE.COM
[realms]
 EXAMPLE.COM = {
   kdc = domaincontroller2.example.com
   admin_server = domaincontroller1.example.com
 }


[domain_realm]
 schaer.com = EXAMPLE.COM
 .schaer.com = EXAMPLE.COM
6) Insert this code in your apache config file httpd.conf:

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes
   <Files "customer.pl">
      AuthType Kerberos
      AuthName "Kerberos AUTH"
	  KrbAuthRealms EXAMPLE.COM
	  KrbSaveCredentials off
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbServiceName HTTP/servername.example.com
	  Krb5KeyTab /.../yourkeytabfile.keytab
      Require valid-user
   </Files>
   <Files "index.pl">
      AuthType Kerberos
      AuthName "Kerberos AUTH"
	  KrbAuthRealms EXAMPLE.COM
	  KrbSaveCredentials off
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbServiceName HTTP/servername.example.com
	  Krb5KeyTab /.../yourkeytabfile.keytab
      Require valid-user
   </Files>
   <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>
</Directory>
7) Insert this code in your OTRS config file Config.pm:

Code: Select all

$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace1'} = YOURDOMAIN\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp1'} = '@EXAMPLE.COM';

$Self->{'AuthModule1'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::Replace1'} = 'YOURDOMAIN\\';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp1'} = '@EXAMPLE.COM';
Done

Apache restart: apachectl restart
Rebuild OTRS Config and delete cache:
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Config::Rebuild" -s /bin/bash otrs
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Cache::Delete" -s /bin/bash otrs
OTRS Log: http://servername.example.com/otrs/inde ... n=AdminLog
Apache log: tail -f --lines=50 /var/log/httpd/error_log
OTRS 5.0.9 - CentOS 7 - MariaDB 5.5
Sayannara
Znuny advanced
Posts: 118
Joined: 22 May 2012, 12:37
Znuny Version: OTRS 7.06
Real Name: Yann
Company: FVE
Contact:

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Sayannara »

I finally after to many hours.. days... got it working! (Centos 7). Extra information...

my server's name is: feto1s080
realm: fednet.local

1. create user
-> samAccountName: ITMOTRSSSO
-> servicePrincipalName: HTTPS/feto1s080.fednet.local, HTTPS/feto1s080
-> userPrincipalName: HTTPS/feto1s080.fednet.local@FEDNET.LOCAL

2. create keytab
ktpass /princ HTTPS/feto1s080.fednet.local@FEDNET.LOCAL /mapuser ITMOTRSSSO@FEDNET.LOCAL /pass [password] /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 0 /out ITMOTRSSSO.http.keytab

3. copy the keytab
I chose /etc/

4. Packages needed
yum install httpd
yum install krb5-workstation
yum install krb5-libs
Yum install samba-client
Yum install samba-windbind
Yum install mod_auth_kerb

authconfig-tui

authconfig --update --enablewinbindusedefaultdomain
--update -> the "-" char was not the same on my keyboard, I had to copy the char from that link:
https://access.redhat.com/documentation ... -auth.html

Kinit ITMOTRSSSO
net ads keytab add HTTP -U ITMOTRSSSO


If you have that issue (if I remember when you try to start winbind service):
"kerberos method" must be set to a keytab method to use keytab functions.

add then:
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab

https://readthefuckingmanual.net/error/ ... -functions

Files needed
->/opt/otrs/Kernel/Config.pm
->/etc/httpd/conf.d/zzz_otrs.conf
->/etc/itmotrssso.https.keytab
->/etc/krb5.conf
->/etc/samba/smb.conf


Config.pm (only customers)

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@FEDNET.LOCAL';
zzz_otrs.conf

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

[b]	<Files "customer.pl">
		AuthType Kerberos
		AuthName "Kerberos AUTH"
		KrbMethodNegotiate On
		KrbMethodK5Passwd On
		KrbServiceName HTTPS/feto1s080.fednet.local
		Krb5Keytab /etc/itmotrssso.https.keytab
		Require valid-user

		KrbAuthRealms FEDNET.LOCAL
		KrbSaveCredentials off
	</Files>[/b]

</Directory>
krb5.conf

Code: Select all

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = FEDNET.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 FEDNET.LOCAL = {
  kdc = fednet.local:88
  admin_server = fednet.local:749
  kdc = FETO1S012.FEDNET.LOCAL
 }

[domain_realm]
 fednet.local = FEDNET.LOCAL
 .fednet.local = FEDNET.LOCAL
smb.conf

Code: Select all

[global]
#--authconfig--start-line--

# Generated by authconfig on 2018/06/27 16:13:01
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = FEDNET
   password server = FETO1S012.FEDNET.LOCAL
   realm = FEDNET.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template shell = /sbin/nologin
#   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

   kerberos method = dedicated keytab
   dedicated keytab file = /etc/itmotrssso.https.keytab
   
#   ....

logs
/var/log/httpd/ssl_error_log
/var/log/httpd/error_log
Centos 7 / OTRS::ITSM 6 Business Solutions / MariaDB / Apache
Sayannara
Znuny advanced
Posts: 118
Joined: 22 May 2012, 12:37
Znuny Version: OTRS 7.06
Real Name: Yann
Company: FVE
Contact:

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Sayannara »

Hello

this is so painful, it does not longer work! I even reinstalled a fresh installation :-(

Even when the configuration was not correct I had a popup asking for credential but I don't have it anymore. There is no 401 request at all. I used wireshark and Fiddler to analyze the network, and I don't see any traffic on port 88 and no kerberos.msg.

What could prevent my browser to request a ticket to the KDC? Apache config still the same. :oops:
Centos 7 / OTRS::ITSM 6 Business Solutions / MariaDB / Apache
Mak0t0
Znuny newbie
Posts: 2
Joined: 12 Jul 2018, 15:38
Znuny Version: OTRS 5 beta2

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Mak0t0 »

Sayannara wrote: 02 Aug 2018, 15:50 Hello

this is so painful, it does not longer work! I even reinstalled a fresh installation :-(

Even when the configuration was not correct I had a popup asking for credential but I don't have it anymore. There is no 401 request at all. I used wireshark and Fiddler to analyze the network, and I don't see any traffic on port 88 and no kerberos.msg.

What could prevent my browser to request a ticket to the KDC? Apache config still the same. :oops:
Are you sure that your Kerberos ticket is renewing as expected?
Sayannara
Znuny advanced
Posts: 118
Joined: 22 May 2012, 12:37
Znuny Version: OTRS 7.06
Real Name: Yann
Company: FVE
Contact:

Re: OTRS 3.1 - SSO with kerberos auth and ldap

Post by Sayannara »

Sorry late reply.

Well I can do a kinit and see the result with klist successfully.
OTRS Business Support does not help because my installation is on promise.

Error message => User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 172.22.22.62).
Centos 7 / OTRS::ITSM 6 Business Solutions / MariaDB / Apache
Post Reply