Users are not authenticated automatically when accessing the mod_auth_vas secured site.
The browser is not configured to use Kerberos or "Windows Integrated Authentication":
The following error indicates that the browser sent an NTLM negotiate token:
vas_gss_spnego_accept: VAS_ERR_INTERNAL: First call to
gss_accept_sec_context() failed, minor_status = 0, result = 589824,
display_status = A token was invalid
If you are convinced that Kerberos tokens should be sent from the browser, you can confirm this by enabling 'LogLevel debug' in your httpd.conf file and then watch the logs. NTLM tokens sent from the browser will start with "TlRM" while GSSAPI (Kerberos) tokens will start with "YII":
do_gss_spnego_accept: line='TlRMTVNTUAABAAAA...'
do_gss_spnego_accept: line='YIIExAYGKwYBBQUC...'
The solution is to make your client use Kerberos (Windows Integrated Authentication). For Internet Explorer, go through the IE configuration instructions.
https://github.com/OneIdentity/mod_auth_vas/wiki/mod_auth_vas4-How-To
Pay attention to the section on configuring IE6 for Windows Integrated Authentication:
http://support.microsoft.com/kb/299838
---
MAV and all One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.
Main MAV GitHub page:
https://github.com/OneIdentity/mod_auth_vas
Latest MAV Packages:
https://github.com/OneIdentity/mod_auth_vas/releases
Open a MAV Issue:
https://github.com/OneIdentity/mod_auth_vas/issues
MAV Wiki:
https://github.com/OneIdentity/mod_auth_vas/wiki
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center