Schlagwörter: 

Ansicht von 0 Antwort-Themen
  • Autor
    Beiträge
    • #14107
      Stefano Grespan
      Teilnehmer

        Hello,

        I’m trying to implement kerberos SSO on my Otobo installation but something doesn’t work and maybe someone here can give me a hint.

        When I go to my server using Edge instead of automatically login i see the Windows Authentication popup for two times:

        After I’ve inserted credentials i see the error message “Internal server error” on a blank page.

        I’ve checked logs but I haven’t found useful information:

        docker logs otobo_nginx_1 -f

        192.168.50.228 - - [21/Oct/2022:14:33:32 +0000] "GET /otobo HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - - [21/Oct/2022:14:33:32 +0000] "GET /favicon.ico HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - - [21/Oct/2022:14:33:44 +0000] "GET /otobo HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - - [21/Oct/2022:14:33:44 +0000] "GET /otobo HTTP/1.1" 401 581 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - myuser [21/Oct/2022:14:33:53 +0000] "GET /otobo HTTP/1.1" 500 21 "https://otobonew.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - myuser [21/Oct/2022:14:33:53 +0000] "GET /favicon.ico HTTP/1.1" 404 251 "https://otobonew.mydomain.com/otobo" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - myuser [21/Oct/2022:14:33:58 +0000] "GET /otobo/index.pl HTTP/1.1" 500 21 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"
        192.168.50.228 - myuser [21/Oct/2022:14:34:02 +0000] "GET /otobo/index.pl HTTP/1.1" 500 21 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53" "-"

        Inside Nginx container:

        env KRB5_TRACE=/dev/stdout kvno HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL
        [1310] 1666365206.709039: Getting credentials HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL -> HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL using ccache FILE:/tmp/krb5cc_0
        [1310] 1666365206.709040: Retrieving HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL -> HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL from FILE:/tmp/krb5cc_0 with result: 0/Success
        HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL: kvno = 5

        klist -e
        Ticket cache: FILE:/tmp/krb5cc_0
        Default principal: HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL

        Valid starting Expires Service principal
        10/21/22 14:30:48 10/22/22 00:30:48 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 10/22/22 14:30:48, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
        10/21/22 14:35:40 10/22/22 00:30:48 HTTP/otobokerberos.mydomain.local@MYDOMAIN.LOCAL
        renew until 10/22/22 14:30:48, Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac

        This in my .env file part regarding kerberos:

        # Kerberos keytab, default is /etc/krb5.keytab
        OTOBO_NGINX_KERBEROS_KEYTAB=/opt/gitclone/otobo-docker/nginx-conf/krb5.keytab

        # Kerberos config, default is /etc/krb5.conf as generated krb5.conf.template
        #OTOBO_NGINX_KERBEROS_CONFIG=/opt/gitclone/otobo-docker/nginx-conf/krb5.conf

        # Kerberos Service Name
        OTOBO_NGINX_KERBEROS_SERVICE_NAME=HTTP/otobokerberos.mydomain.local

        # Kerberos REALM
        OTOBO_NGINX_KERBEROS_REALM=MYDOMAIN.LOCAL

        # Kerberos kdc / AD Controller
        OTOBO_NGINX_KERBEROS_KDC=mydomaincontroller.mydomain.local

        # Kerberos Admin Server
        OTOBO_NGINX_KERBEROS_ADMIN_SERVER=mydomaincontroller.mydomain.local

        # Kerberos Default Domain
        OTOBO_NGINX_KERBEROS_DEFAULT_DOMAIN=mydomain.local

        # Kerberos Substitute Template Directory
        NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/config/template-custom

        In Config.pm I’ve just added these lines for customers and agents:

        $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
        $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '^(.+?)@.+?$';

        $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
        $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '^(.+?)@.+?$';

        Otobo version: 10_1

        Thank you in advance for any suggestion

         

    Ansicht von 0 Antwort-Themen
    • Du musst angemeldet sein, um auf dieses Thema antworten zu können.