Hi all
I have issues with automatic login. I just can not get into the Wiki without entering a password. I have no idea anymore. I have double checked if there is any thread in this forum and I have also checked lots of Google links and by now I think, I have everything in place to get this working, however I can only login by entering correct AD credentials => I get a login form instead of automatic login.
Let's assume the following:
- Domain is AA.BB.CH
- Wiki is accessible through wiki.intranet.cc.ch (note, that it is not wiki.aa.bb.ch or something similar, but that should not matter anyway).
- Internet Explorer is our internal standard. The settings are as described in the howtos.
For reasons of privacy I obfuscated the sensitive parts in <> (case-sensitive).
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5/krb5.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/krb5admin_server.log
[libdefaults]
default_ccache_name = FILE:/var/log/apache2/krb5cc_%{uid}
default_realm = AA.BB.CH
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_keytab_name = /etc/apache2/conf.d/<KEYTAB>
[realms]
AA.BB.CH = {
kdc = <DC1>
kdc = <DC2>
admin_server = <DC1>
default_domain = aa.bb.ch
}
[domain_realm]
wiki.intranet.cc.ch = AA.BB.CH
.aa.bb.ch = AA.BB.CH
aa.bb.ch = AA.BB.CH
.intranet.cc.ch = AA.BB.CH
intranet.cc.ch = AA.BB.CH
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I can get a ticket using kinit <MY_USER>, so basic communication with AD works.
Apache 2.4 Linux
...
# Kerberos Auth
AuthType Kerberos
AuthName AA.BB.CH
KrbAuthRealms AA.BB.CH
KrbServiceName HTTP
Krb5Keytab /etc/apache2/conf.d/<KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Require valid-user
...
Wiki local.protected.php
...
// proxy settings
$conf['proxy']['host'] = '<PROXY>';
$conf['proxy']['port'] = 8080;
...
$conf['superuser'] = '@<WIKI_ADMINS>';
$conf['manager'] = '@<WIKI_ADMINS>';
$conf['authtype'] = 'authad';
$conf['plugin']['authad']['account_suffix'] = '@aa.bb.ch';
$conf['plugin']['authad']['base_dn'] = 'OU=BLA,DC=aa,DC=bb,DC=ch';
$conf['plugin']['authad']['domain_controllers'] = '<DC1>,<DC2>';
$conf['plugin']['authad']['admin_username'] = '<ADMIN>';
$conf['plugin']['authad']['admin_password'] = '<PASSWORD>';
$conf['plugin']['authad']['sso'] = 1;
$conf['plugin']['authad']['real_primarygroup'] = 1;
$conf['plugin']['authad']['debug'] = 1;
$conf['plugin']['authad']['recursive_groups'] = 1;
$conf['plugin']['authad']['expirywarn'] = 0;
...
As I am able to login manually with an AD user, I assume the basic configuration works, but the SSO part does not. Altough I am pretty sure, that all of the configuration is correct and should work according to all the resources I have read.
Did I miss something or do you see an error?
Any help is appreciated.
Best regards