8

Problems appear when accessing Kerberos protected site by IP address. For example:

http:/10.10.1.x:3001/ gives failure.

http:/my-host:3001/ sso is completes successfully.

Apache error logs say:

src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)

src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned code 0

As you could see Kerberos tries to find HTTP@10.10.1.x or HTTP@my-host principals. For both principals created dummy accounts in ActiveDirectory. In keytab file also included both of them:

KVNO Timestamp         Principal
---- ----------------- -----------------------------------------------------
   5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

  11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

Kinit works for both of them.

Kerberos config on server:

   Krb5Keytab /etc/krb5.keytab
   AuthType Kerberos
   KrbMethodNegotiate On
   AuthName "Kerberos Login"
   KrbAuthRealms MY_DOMAIN.LAN
   KrbVerifyKDC Off
   KrbMethodK5Passwd On
   Require valid-user

Someone could guess where the problem is? Is it possible to use IP address in Kerberos SSO?

Sicco
  • 6,167
  • 5
  • 45
  • 61
Maksim Sirotkin
  • 473
  • 2
  • 5
  • 14

3 Answers3

13

Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • It is rather shocking for me and strange that in all articles about Kerberos that was never mentioned. Could you name other way of SSO authentication that supports IP addresses? – Maksim Sirotkin Sep 05 '12 at 11:16
  • 1
    I don't think so. Please read [this](http://support.microsoft.com/kb/322979/en-us?fr=1) and [this](http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#kerbdns). Well, the name `SPN` implies that it operates on *names* and not IP addresses. There is no alternative to Kerberos in a corporate environment. Everything else is not SSO. Why don't you want to use the hostname? The entire Active Directory is about DNS, hostnames and Kerberos. It used DNS to discover DCs and KDCs and many more services. – Michael-O Sep 05 '12 at 11:52
  • Thank you, your response was really helpful. Our partners use IP addresses links, it will be difficult to make them use DNS. – Maksim Sirotkin Sep 05 '12 at 12:20
  • So, you might accept my answer. Your partner should employ Kerberos as it was meant to be used or use some other mechanism like an LDAP bind but this would force anyone to provide credentials over and over again. – Michael-O Sep 05 '12 at 13:06
  • I found that overthere library may use Kerberos authorization for IP target, I investigated source code, and created a sample project using overthere code snippets. It works, but I don't understand how – John Oct 27 '15 at 14:28
1

In a Microsoft KB article it says that is by design:

https://support.microsoft.com/en-ca/kb/322979

The title of the above KB is: Kerberos is not used when you connect to SMB shares by using IP address

Jim
  • 11
  • 1
0

I realize this is a very old thread, but it is a top choice for any related searches. I think it's worth noting that Microsoft has recently added Kerberos client support using IPv4 and IPv6.

Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.

To reduce the impact of disabling NTLM a new capability was introduced that lets administrators use IP addresses as hostnames in Service Principal Names. This capability is enabled on the client through a registry key value.

Since this is a client-side fix, your Kerberos client must be running an appropriate version of Windows and receive the TryIPSPN registry entry. Your service must also have an IP-based SPN registered to it in Active Directory.

twconnell
  • 111
  • 5