SSO fallback to RT Login failure

Hello,

I have been trying to implement SSO on our RT test enviroment, the SSO
login from machines that are authenticated by our dc works fine but I can’t
get it to fall back to RT login when SSO fails. I constantly get the
"Unauthorized" page from Apache instead.

Can someone help me with configuring falling back to RT login?

Environment:
Ubuntu Server 14.01
RT 4.2.9
Apache2
mod_auth_kerb + krb5

Relevant config file entries

RT_Siteconfig.pm

Set( $WebRemoteUserAuth, 1);
Set( $WebRemoteUserInfo, 1);
Set( $WebRemoteUserContinuous, 1);
Set( $WebFallbackToRTLogin, 1);
Set( $WebRemoteUserAutocreate, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });

/etc/apache2/sites-available/rt.conf

AuthType Kerberos Krb5Keytab /etc/apache2/http.keytab KrbMethodNegotiate on KrbMethodK5Passwd off KrbLocalUserMapping on Require valid-user Require ip 127.0.0.1 AllowOverride None

/var/log/apache2/error.log

[Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid
140437369087744] [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child
10 established (server rt.server:443)
[Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(520): AH00835: socache_shmcb_retrieve
(0xc1 -> subcache 1)
[Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, data=0
[Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
socache_shmcb_retrieve successfully
[Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid
140437369087744] ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832]
AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits)
[Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid
140437369087744] ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832]
AH02034: Initial (No.1) HTTPS request received for child 10 (server
rt.server:443)
[Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require valid-user : denied (no
authenticated user yet)
[Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require ip 127.0.0.1: denied
[Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of : denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid
140437360695040] ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832]
AH02034: Subsequent (No.2) HTTPS request received for child 10 (server
rt.server:443)
[Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require valid-user : denied (no
authenticated user yet)
[Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of Require ip 127.0.0.1: denied
[Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626: authorization result of : denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
Acquiring creds for HTTP@rt.server
[Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
Verifying client data using KRB5 GSS-API
[Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
Client didn’t delegate us their credential
[Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832]
Warning: received token seems to be NTLM, which isn’t supported by the
Kerberos module. Check your IE configuration.
[Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832]
GSS-API major_status:00010000, minor_status:00000000
[Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid
140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context()
failed: An unsupported mechanism was requested (, Unknown error)

Best Regards,
Myrat

I have been trying to implement SSO on our RT test enviroment, the SSO login
from machines that are authenticated by our dc works fine but I can’t get it to
fall back to RT login when SSO fails. I constantly get the “Unauthorized” page
from Apache instead.

I believe you want to read up on the Satisfy directive.
There’s some additional docs here:
https://bestpractical.com/docs/rt/latest/authentication
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy

-kevin

“require ip 127.0.0.1” was put to allow local mail requests to pass, moved
it to a separate location in config.

#Allow mail gateway to send mails via RT site
<Location /REST/1.0/NoAuth/mail-gateway>
Order deny,allow
Deny from all
Allow from localhost
Satisfy any

<Location /NoAuth>
Satisfy any
Allow from all

SSO works fine with machines that are members of the local AD.
The authorization problem arises when I try to login from machine that is
not a member of AD. I thought that with “$WebFallbackToRTLogin” set to
true, the user is redirected to RT login form when authentication with
Kerberos fails. Am I missing something here? Or should I just setup another
virtual host without SSO to be able to logon with local users as suggested
in this post http://www.gossamer-threads.com/lists/rt/users/117509#117509?

Regards,
MyratOn Tue Feb 03 2015 at 2:08:30 AM Kevin Falcone falcone@bestpractical.com wrote:

On Mon, Feb 02, 2015 at 07:51:20AM +0000, Myrat Saparow wrote:

I have been trying to implement SSO on our RT test enviroment, the SSO
login
from machines that are authenticated by our dc works fine but I can’t
get it to
fall back to RT login when SSO fails. I constantly get the
"Unauthorized" page
from Apache instead.

I believe you want to read up on the Satisfy directive.
There’s some additional docs here:
https://bestpractical.com/docs/rt/latest/authentication
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy

-kevin

Can someone help me with configuring falling back to RT login?

Environment:
Ubuntu Server 14.01
RT 4.2.9
Apache2
mod_auth_kerb + krb5

Relevant config file entries

RT_Siteconfig.pm

Set( $WebRemoteUserAuth, 1);
Set( $WebRemoteUserInfo, 1);
Set( $WebRemoteUserContinuous, 1);
Set( $WebFallbackToRTLogin, 1);
Set( $WebRemoteUserAutocreate, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });

/etc/apache2/sites-available/rt.conf

AuthType Kerberos Krb5Keytab /etc/apache2/http.keytab KrbMethodNegotiate on KrbMethodK5Passwd off KrbLocalUserMapping on Require valid-user Require ip 127.0.0.1 AllowOverride None

/var/log/apache2/error.log

[Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid
140437369087744]
[client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
(server rt.server:443)
[Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(520): AH00835:
socache_shmcb_retrieve
(0xc1 -> subcache 1)
[Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0,
data=0
[Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
socache_shmcb_retrieve successfully
[Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid
140437369087744]
ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041:
Protocol:
TLSv1, Cipher: RC4-SHA (128/128 bits)
[Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid
140437369087744]
ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial
(No.1)
HTTPS request received for child 10 (server rt.server:443)
[Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require valid-user : denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require ip [1]127.0.0.1: denied
[Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of : denied (no authenticated user yet)
[Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid
140437360695040]
ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034:
Subsequent
(No.2) HTTPS request received for child 10 (server rt.server:443)
[Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require valid-user : denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require ip [2]127.0.0.1: denied
[Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of : denied (no authenticated user yet)
[Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
Acquiring creds for HTTP@rt.server
[Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
Verifying client data using KRB5 GSS-API
[Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
Client didn’t delegate us their credential
[Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832]
Warning: received token seems to be NTLM, which isn’t supported by the
Kerberos
module. Check your IE configuration.
[Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832]
GSS-API major_status:00010000, minor_status:00000000
[Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid
140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context()
failed:
An unsupported mechanism was requested (, Unknown error)

Best Regards,
Myrat

References:

[1] http://127.0.0.1/
[2] http://127.0.0.1/