Search code examples
active-directorykerberoswindows-authenticationgssapi

GSSAPI Negotiate authentication fails different domain DNS and Windows Active Directory


From my browser I want to open the site http://auth.another.com and do authentication with kerberos AuthType: “Negotiate”. I don't want to enter user and password (AuthType: Basic).

If i use http://auth.example.local the same domain (example.local) as active directory the Negotiate authentication work perfectly. If i use another domain not work.

my krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.LOCAL = {
  kdc = svr-dc1.example.local
  admin_server = svr-dc1.example.local
 }

[domain_realm]
 .example.local = EXAMPLE.LOCAL
 example.local = EXAMPLE.LOCAL

DNS

auth.another.com

User Windows Active Directory Account

http/[email protected]

i try to add in krb5.conf:

[domain_realm]
.another.com = EXAMPLE.LOCAL
 another.com = EXAMPLE.LOCAL

Solution

  • I found the solution. the SPN I had created started with HTTPS/ because I thought using the HTTPS protocol required the SPN to be HTTPS defined, but no, it must remain HTTP.