Kerberos Authentication does not work - Internal Server Error

Schlagwörter: #kerberos #SSO

Ansicht von 0 Antwort-Themen

Autor

Beiträge
- 21. Oktober 2022 um 17:49 Uhr - Views: 985 #14107
  Stefano Grespan
  Teilnehmer
  Hello,
  
  I’m trying to implement kerberos SSO on my Otobo installation but something doesn’t work and maybe someone here can give me a hint.
  
  When I go to my server using Edge instead of automatically login i see the Windows Authentication popup for two times:
  
  After I’ve inserted credentials i see the error message „Internal server error“ on a blank page.
  
  I’ve checked logs but I haven’t found useful information:
  
  docker logs otobo_nginx_1 -f
  
  192.168.50.228 - - [21/Oct/2022:14:33:32 +0000] "GET /otobo HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - - [21/Oct/2022:14:33:32 +0000] "GET /favicon.ico HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - - [21/Oct/2022:14:33:44 +0000] "GET /otobo HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - - [21/Oct/2022:14:33:44 +0000] "GET /otobo HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - myuser [21/Oct/2022:14:33:53 +0000] "GET /otobo HTTP/1.1" 500 21 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - myuser [21/Oct/2022:14:33:53 +0000] "GET /favicon.ico HTTP/1.1" 404 251 "https://otobonew.mydomain.com/otobo" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - myuser [21/Oct/2022:14:33:58 +0000] "GET /otobo/index.pl HTTP/1.1" 500 21 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  192.168.50.228 - myuser [21/Oct/2022:14:34:02 +0000] "GET /otobo/index.pl HTTP/1.1" 500 21 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
  
  Inside Nginx container:
  
  env KRB5_TRACE=/dev/stdout kvno HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL
  [1310] 1666365206.709039: Getting credentials HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL -> HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL using ccache FILE:/tmp/krb5cc_0
  [1310] 1666365206.709040: Retrieving HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL -> HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL from FILE:/tmp/krb5cc_0 with result: 0/Success
  HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL: kvno = 5
  
  klist -e
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL
  
  Valid starting Expires Service principal
  10/21/22 14:30:48 10/22/22 00:30:48 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
  renew until 10/22/22 14:30:48, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
  10/21/22 14:35:40 10/22/22 00:30:48 HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL
  renew until 10/22/22 14:30:48, Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac
  
  This in my .env file part regarding kerberos:
  
  # Kerberos keytab, default is /etc/krb5.keytab
  OTOBO_NGINX_KERBEROS_KEYTAB=/opt/gitclone/otobo-docker/nginx-conf/krb5.keytab
  
  # Kerberos config, default is /etc/krb5.conf as generated krb5.conf.template
  #OTOBO_NGINX_KERBEROS_CONFIG=/opt/gitclone/otobo-docker/nginx-conf/krb5.conf
  
  # Kerberos Service Name
  OTOBO_NGINX_KERBEROS_SERVICE_NAME=HTTP/otobokerberos.mydomain.local
  
  # Kerberos REALM
  OTOBO_NGINX_KERBEROS_REALM=MYDOMAIN.LOCAL
  
  # Kerberos kdc / AD Controller
  OTOBO_NGINX_KERBEROS_KDC=mydomaincontroller.mydomain.local
  
  # Kerberos Admin Server
  OTOBO_NGINX_KERBEROS_ADMIN_SERVER=mydomaincontroller.mydomain.local
  
  # Kerberos Default Domain
  OTOBO_NGINX_KERBEROS_DEFAULT_DOMAIN=mydomain.local
  
  # Kerberos Substitute Template Directory
  NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/config/template-custom
  
  In Config.pm I’ve just added these lines for customers and agents:
  
  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
  $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '^(.+?)@.+?$';
  
  $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
  $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '^(.+?)@.+?$';
  
  Otobo version: 10_1
  
  Thank you in advance for any suggestion
Autor

Beiträge

Ansicht von 0 Antwort-Themen

Du musst angemeldet sein, um auf dieses Thema antworten zu können.

Unternehmen

Software

Services

Community