subversion + neon + windows + mod_kerb = InitializeSecurityContext SEC_E_INTERNAL_ERROR

Alon Bar-Lev alon.barlev at gmail.com
Sun Oct 2 15:31:43 EDT 2011


More information, I am getting this message once after reboot, found
no reference for this in the Internet.
---
Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40962
Date:		10/2/2011
Time:		9:21:58 PM
User:		N/A
Computer:	VALON
Description:
The Security System was unable to authenticate to the server
HTTP/correlux-gentoo.correlsense.com because the server has completed
the authentication, but the client authentication protocol Kerberos
has not.
---

I also created spn using ktpass so I have:
---
Keytab name: WRFILE:/etc/alon1.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 HTTP/correlux-gentoo.correlsense.com at CORRELSENSE.COM (arcfour-hmac)
---

Just in cast the DC does not accept DES anymore.
I can see this at setspn -l.

Again,
All other tools are working except of neon...

On Sun, Oct 2, 2011 at 4:48 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> Forgot to mention that when running on the same windows workstation
> Internet Explorer and Firefox do succeed in authenticating without any
> problem to the same location.
>
> XP and Windows 7 - same behavior.
>
> Thanks!
>
> On Sun, Oct 2, 2011 at 4:45 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>> Hello,
>>
>> On Linux works perfectly!
>>
>> Configuration is Windows 2003 AD, apache2+mod_auth_kerb-5.4
>>
>> At server side I don't see any error, but on client side I see
>> InitializeSecurityContext returning an error.
>>
>> I see in kerbtray that a valid ticket was acquired at windows side.
>>
>> Running both as:
>> ---
>> TortoiseSVN 1.6.16, Build 21511 - 32 Bit , 2011/06/01 19:00:35
>> Subversion 1.6.17,
>> apr 1.3.12
>> apr-utils 1.3.12
>> neon 0.29.6
>> OpenSSL 1.0.0d 8 Feb 2011
>> zlib 1.2.5
>> ---
>> And:
>> ---
>> svn, version 1.6.17-SlikSvn-tag-1.6.17 at 1130896-WIN32 (SlikSvn/1.6.17) WIN32
>>   compiled Jun  3 2011, 07:33:44
>> ---
>>
>> Neon Log
>> ---
>> Running post_send hooks
>> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is
>> Negotiate oYGfMIGcoAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqADAgEXolsEWeZpnkhcM6L/46+tUax3WtI15nBHJ63lGFL3ohcnJUb5qddhrMDQssCL6fYbOtjrUxpGPMplfIlXDxl089lYbUyqcE++7eBFwDDY9l5dT6FJeAvQfKZ8pUfB
>> auth: SSPI challenge.
>> InitializeSecurityContext [fail] [80090304].
>> sspi: initializeSecurityContext [failed] [80090304].
>> Request ends, status 201 class 2xx, error line:
>> 201 Created
>> Running destroy hooks.
>> Request ends.
>> svn: Commit failed (details follow):
>> svn: MKACTIVITY of '/svn/Test/!svn/act/6694f132-323c-334e-a863-5f6b6ca1d8d9': 20
>> 1 Created (https://correlux-gentoo.correlsense.com)
>> ---
>>
>> httpd Log
>> ---
>> Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1628): [client
>> 10.10.49.56] kerb_authenticate_user entered with user (NULL) and
>> auth_type Kerberos
>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1240): [client
>> 10.10.49.56] Acquiring creds for HTTP at correlux-gentoo.correlsense.com
>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1385): [client
>> 10.10.49.56] Verifying client data using KRB5 GSS-API with our SPNEGO
>> lib
>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1401): [client
>> 10.10.49.56] Client didn't delegate us their credential
>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1420): [client
>> 10.10.49.56] GSS-API token of length 162 bytes will be sent back
>> ---
>>
>> I see same httpd messages in working linux client setup.
>>
>> Has anyone had this? Any clue how to debug this farther?
>> Thanks!
>> Alon.
>>
>



More information about the neon mailing list