Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:sso_ad_domain [2020/02/17 10:38]
poulm link to SSO tutorial tips
tutorial:adm:sso_ad_domain [2020/06/15 12:49]
apeterova users with many AD groups
Line 91: Line 91:
 </code> </code>
  
-Add Kerberos configuration and setting the ''REMOTE_USER'' header inside the **VirtualHost tag** in ''/etc/httpd/conf.d/ssl.conf''. And exlude "/idm/api/v1/status" from authentication so everyone can access it:+Add Kerberos configuration and setting the ''REMOTE_USER'' header inside the **VirtualHost tag** in ''/etc/httpd/conf.d/ssl.conf''. And exclude "/idm/api/v1/status" from authentication so everyone can access it:
 <code> <code>
        <Location /idm>        <Location /idm>
Line 156: Line 156:
   * The keytab shouldn't be generated with only some ciphers, so use ''-crypto all'' in the command as above.   * The keytab shouldn't be generated with only some ciphers, so use ''-crypto all'' in the command as above.
  
-Usual messages in Apache error log:+Usual messages in Apache error logs:
   * ''krb5\_get\_init\_creds\_password() failed: Cannot contact any KDC for requested realm'': make sure that DC in /etc/krb5.conf kdc communicates on port 88:   * ''krb5\_get\_init\_creds\_password() failed: Cannot contact any KDC for requested realm'': make sure that DC in /etc/krb5.conf kdc communicates on port 88:
 <code bash> <code bash>
Line 164: Line 164:
   * ''krb5\_get\_init\_creds\_password() failed: Preauthentication failed'': the given user has different password.   * ''krb5\_get\_init\_creds\_password() failed: Preauthentication failed'': the given user has different password.
   * ''gss\_accept\_sec\_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer.   * ''gss\_accept\_sec\_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer.
 +  * ''gss\_accept\_sec\_context() failed: An unsupported mechanism was requested (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer. (probably)
   * ''failed to verify krb5 credentials: Key table entry not found'': something is wrong with the keytab. Try to compare its version (KVNO) and the version of Kerberos ticket:   * ''failed to verify krb5 credentials: Key table entry not found'': something is wrong with the keytab. Try to compare its version (KVNO) and the version of Kerberos ticket:
 <code> <code>
Line 181: Line 182:
 </code> </code>
   * ''krb5\_rd\_req() failed when verifying KDC'' followed by ''failed to verify krb5 credentials: Permission denied'': Bad permissions on the keytab file. All httpd processes must have ''read'' access to the keytab.   * ''krb5\_rd\_req() failed when verifying KDC'' followed by ''failed to verify krb5 credentials: Permission denied'': Bad permissions on the keytab file. All httpd processes must have ''read'' access to the keytab.
 +
 +==== Users with many AD groups & Internet Explorer ====
 +
 +Users who are members of many AD groups (e.g. more than 100) and use IE may have problems authenticating to IdM. They would get HTTP response 400: Bad Request and there would be an error message ''request failed: error reading the headers'' in the Apache error log. The reason is, that the Authorization header (holding Kerberos ticket) is longer than the max size of HTTP headers in the Apache webserver. Some browsers, e.g. Chrome, cuts off the tickets, but IE doesn't.
 +
 +If you can't switch to a different browser and you can't lower the amount of AD group memberships, you may increase the limit of the header size in Apache HTTP Server by the [[https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize|LimitRequestFieldSize]] directive. However, the limit may be also on the application server (Apache Tomcat, JBoss). Then you should unset the header so it's not proxied to the application server - put ''RequestHeader unset Authorization'' in the ''/etc/httpd/conf.d/ssl.conf''.
 +
 +An example of the configuration inside ''/etc/httpd/conf.d/ssl.conf'':
 +<code>
 +RequestHeader set REMOTE_USER %{REMOTE_USER}s
 +# Add following lines to enable access for users with many AD groups
 +LimitRequestFieldSize 12392
 +RequestHeader unset Authorization
 +</code>
 +You should estimate the limit for your environment based on the max possible size of the Kerberos ticket https://support.microsoft.com/en-us/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou. Please note that increasing the limit may have impact on your server security (e.g. DDoS attacks). 
  
 ===== See also ===== ===== See also =====
 [[tutorial:adm:sso_configuring_tips|Tips for configuring SSO on Windows (can be useful on Linux servers as well)]] [[tutorial:adm:sso_configuring_tips|Tips for configuring SSO on Windows (can be useful on Linux servers as well)]]
  • by apeterova