SSO is enabled but need to login the first time

This seems to be a problem of your Kerberos set up and is not related to NADI itself.

Hi Schakko,

Thanks for the info. It looks like the Kerberos does try to authenticate the user, but the user info didn’t get passed through. It is showing NULL. So, our UNIX admin doesn’t have any clue at this point either. Is there anything else we need to look at? Thank you very much for your help.

[Mon Nov 07 09:52:19.582241 2016] [ssl:debug] [pid 13992] ssl_engine_kernel.c(224): [client 172.24.51.71:60871] AH02034: Subsequent (No.2) HTTPS request received for child 1 (server intranet.test.ad:443), referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.582539 2016] [authz_core:debug] [pid 13992] mod_authz_core.c(809): [client 172.24.51.71:60871] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.582550 2016] [authz_core:debug] [pid 13992] mod_authz_core.c(809): [client 172.24.51.71:60871] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.582563 2016] [auth_kerb:debug] [pid 13992] src/mod_auth_kerb.c(1954): [client 172.24.51.71:60871] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.582621 2016] [auth_kerb:debug] [pid 13992] src/mod_auth_kerb.c(1295): [client 172.24.51.71:60871] Acquiring creds for HTTPS/[email protected], referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.589701 2016] [auth_kerb:debug] [pid 13992] src/mod_auth_kerb.c(1708): [client 172.24.51.71:60871] Verifying client data using KRB5 GSS-API , referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.589735 2016] [auth_kerb:debug] [pid 13992] src/mod_auth_kerb.c(1724): [client 172.24.51.71:60871] Client didn't delegate us their credential, referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.589740 2016] [auth_kerb:debug] [pid 13992] src/mod_auth_kerb.c(1752): [client 172.24.51.71:60871] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration., referer: https://intranet.test.ad/
[Mon Nov 07 09:52:19.589747 2016] [auth_kerb:debug] [pid 13992] src/mod_auth_kerb.c(1155): [client 172.24.51.71:60871] GSS-API major_status:00010000, minor_status:00000000, referer: https://intranet.test.ad/

* Enabling DES (not recommended): https://stackoverflow.com/questions/16537867/kerberos-sso-with-mod-auth-kerb-verification-code-589824-and-token-seems-to-be
* Wrong principal: https://plosquare.blogspot.de/2013/02/solution-for-gss-api_8.html
* Website not in local intranet: https://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/

The root cause is that our intranet site is using domain https://intranet.company.com as a FQDN for Google Analytics tracking purpose, but the AD is using @test.ad. So, the Kerberos cannot authenticate between two different domain names. This is where we failed.

Based on the answer that we got from the network team, the only solution is to change the domain name to match the internal domain @test.ad. I just want to double check if there is any alternate solution can help not to change the domain name. Thank you.

I am afraid there is no other solution. At least from NADI’s/WordPress’ point of view this can not be solved. Theoretically speaking, you could set up a second domain and domain controller for intranet.company.com, configure Kerberos ticket delegation and work with Split-brain DNS…

Hi @schakko, we changed our domain to fit the domain controller. However, the SSO is still not working. We still got prompt the first time when trying to access to the site. The service account we used to connect to the AD domain return below message. I wonder if that that is the root cause?

Verification successful! WordPress site is now connected to Domain: S-0

If I change that by using my own NT login, I got below message.

Verification successful! WordPress site is now connected to Domain: S-1-5-21-3056053478-64484923-26988263

I also tried to synchronize the users from AD to WordPress and I got 0 member returned. Is this the reason that the SSO is not working? The network folks said there is no problem with the service account, but I think that’s the root cause of this issue.

[INFO ] Start of Sync to WordPress 
[INFO ] LDAP connection is encrypted with "starttls" 
[INFO ] In group 'id:513' are 0 members. 
[INFO ] Number of users to import/update: 8 (2 seconds)

Thanks so much for your help.

Extra info:

If I click on the “Log in with SSO” test link on the login page, I will be logged in directly. So, apparently the SSO is working. Don’t quite understand why the log keeps showing valid user is NULL.

[Fri Nov 18 14:13:45.025366 2016] [authz_core:debug] [pid 4195] mod_authz_core.c(809): [client 172.24.51.71:57084] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Nov 18 14:13:45.025389 2016] [authz_core:debug] [pid 4195] mod_authz_core.c(809): [client 172.24.51.71:57084] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Nov 18 14:13:45.025407 2016] [auth_kerb:debug] [pid 4195] src/mod_auth_kerb.c(1954): [client 172.24.51.71:57084] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

– There must be two service accounts configured: one for SSO, one for Sync to WordPress. You can use the same AD account. If the S-0 SID is returned, this can mean that the service account itself has no valid userPrincipalName and/or UPN suffix. Authentication will nevertheless work. Let the network guys check that the userPrincipalName is defined for the account and *not only* the sAMAccountName.
– Synchronization does not work because authentication works but not valid domain SID has been returned previously.
– Kerberos Log: not sure about the NULL value. Full log required.

@schakko,

Here’s the full log. Thank you very much for your help. Please let me know you need further information.

[Wed Nov 23 09:59:38.105162 2016] [ssl:debug] [pid 18902] ssl_engine_kernel.c(224): [client 172.24.51.71:59450] AH02034: Subsequent (No.2) HTTPS request received for child 5 (server zip.zic.pri:443)
[Wed Nov 23 09:59:38.105167 2016] [http:trace4] [pid 18902] http_request.c(301): [client 172.24.51.71:59450] Headers received from client:
[Wed Nov 23 09:59:38.105170 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
[Wed Nov 23 09:59:38.105175 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Accept-Language: en-US
[Wed Nov 23 09:59:38.105178 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
[Wed Nov 23 09:59:38.105180 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Accept-Encoding: gzip, deflate
[Wed Nov 23 09:59:38.105182 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Connection: Keep-Alive
[Wed Nov 23 09:59:38.105184 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Host: zip.zic.pri
[Wed Nov 23 09:59:38.105186 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[Wed Nov 23 09:59:38.105189 2016] [http:trace4] [pid 18902] http_request.c(305): [client 172.24.51.71:59450]   Cookie: _ga=GA1.2.2039741005.1479332418
[Wed Nov 23 09:59:38.105302 2016] [authz_core:debug] [pid 18902] mod_authz_core.c(809): [client 172.24.51.71:59450] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Nov 23 09:59:38.105307 2016] [authz_core:debug] [pid 18902] mod_authz_core.c(809): [client 172.24.51.71:59450] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Nov 23 09:59:38.105313 2016] [auth_kerb:debug] [pid 18902] src/mod_auth_kerb.c(1954): [client 172.24.51.71:59450] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Nov 23 09:59:38.105350 2016] [auth_kerb:debug] [pid 18902] src/mod_auth_kerb.c(1295): [client 172.24.51.71:59450] Acquiring creds for HTTPS/[email protected]
[Wed Nov 23 09:59:38.108128 2016] [auth_kerb:debug] [pid 18902] src/mod_auth_kerb.c(1708): [client 172.24.51.71:59450] Verifying client data using KRB5 GSS-API 
[Wed Nov 23 09:59:38.108141 2016] [auth_kerb:debug] [pid 18902] src/mod_auth_kerb.c(1724): [client 172.24.51.71:59450] Client didn't delegate us their credential
[Wed Nov 23 09:59:38.108144 2016] [auth_kerb:debug] [pid 18902] src/mod_auth_kerb.c(1752): [client 172.24.51.71:59450] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Wed Nov 23 09:59:38.108148 2016] [auth_kerb:debug] [pid 18902] src/mod_auth_kerb.c(1155): [client 172.24.51.71:59450] GSS-API major_status:00010000, minor_status:00000000
[Wed Nov 23 09:59:38.108157 2016] [auth_kerb:error] [pid 18902] [client 172.24.51.71:59450] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[Wed Nov 23 09:59:38.108334 2016] [core:trace3] [pid 18902] request.c(119): [client 172.24.51.71:59450] auth phase 'check user' gave status 401: /
[Wed Nov 23 09:59:38.108346 2016] [headers:debug] [pid 18902] mod_headers.c(848): AH01503: headers: ap_headers_error_filter()
[Wed Nov 23 09:59:38.108355 2016] [http:trace3] [pid 18902] http_filters.c(1006): [client 172.24.51.71:59450] Response sent with status 401, headers:
[Wed Nov 23 09:59:38.108358 2016] [http:trace5] [pid 18902] http_filters.c(1013): [client 172.24.51.71:59450]   Date: Wed, 23 Nov 2016 17:59:38 GMT
[Wed Nov 23 09:59:38.108360 2016] [http:trace5] [pid 18902] http_filters.c(1016): [client 172.24.51.71:59450]   Server: Apache
[Wed Nov 23 09:59:38.108362 2016] [http:trace4] [pid 18902] http_filters.c(835): [client 172.24.51.71:59450]   X-Frame-Options: DENY
[Wed Nov 23 09:59:38.108365 2016] [http:trace4] [pid 18902] http_filters.c(835): [client 172.24.51.71:59450]   WWW-Authenticate: Basic realm=\\"Kerberos authenticated intranet\\"
[Wed Nov 23 09:59:38.108367 2016] [http:trace4] [pid 18902] http_filters.c(835): [client 172.24.51.71:59450]   Content-Length: 381
[Wed Nov 23 09:59:38.108369 2016] [http:trace4] [pid 18902] http_filters.c(835): [client 172.24.51.71:59450]   Keep-Alive: timeout=5, max=99
[Wed Nov 23 09:59:38.108376 2016] [http:trace4] [pid 18902] http_filters.c(835): [client 172.24.51.71:59450]   Connection: Keep-Alive
[Wed Nov 23 09:59:38.108378 2016] [http:trace4] [pid 18902] http_filters.c(835): [client 172.24.51.71:59450]   Content-Type: text/html; charset=iso-8859-1
[Wed Nov 23 09:59:38.108432 2016] [ssl:trace4] [pid 18902] ssl_engine_io.c(2078): [client 172.24.51.71:59450] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f9e0af113e0 [mem: 7f9e0af2b983]
[Wed Nov 23 09:59:43.113498 2016] [ssl:trace4] [pid 18902] ssl_engine_io.c(2078): [client 172.24.51.71:59450] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f9e0af113e0 [mem: 7f9e0af2b983]
[Wed Nov 23 09:59:43.113605 2016] [ssl:debug] [pid 18902] ssl_engine_io.c(992): [client 172.24.51.71:59450] AH02001: Connection closed to child 5 with standard shutdown (server zip.zic.pri:443)

See my links above, the message “Warning: received token seems to be NTLM, which isn’t supported by the Kerberos module. Check your IE configuration.” is not expected, at least we did not experience this in our test environments.