Topic on Project:Support desk

HI,

We are using SSO with MediaWIKI 1.25.3 with PHP 5.3.3 (apache2handler) , MySQL 5.1.73

Here, the issue is now we are facing kerberos authentication failure issue due to not using all below encryption types while generating the keytab.

Because, now IT infrastructure/AD team not allowed to use below mentioned weak encryption types while generating keytab.

Also it's being denied for the corporate policy. And we are only allowed to use below mentioned couple of strong encryption types.

N.B. Before the Kerberos authentication was working fine when the keytab is encrypted with all below 5 types of encryption methods.

Could someone please advise to resolve the kerberos authentication issue with an alternate solution would be greatly appreciated?

Weak encryptions:

DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-NT

Strong encryptions:

AES256-SHA1 | AES128-SHA1

Thank you in Adv..

Sanjay

If I'm not mistaken, SSO with NTLM/Kerberos is done with IIS at the IIS level, MediaWiki doesn't handle the authentication at all, except that you need an extension handling auth_remoteuser. In your case I see you're using apache instead of IIS, but it should be handled the same, in the apache configuration there should be the configuration for Kerberos authentication.

You should be able to test it by enabling a debug log for MediaWiki and seeing that PHP and MediaWiki aren't called at all (nothing is written on the logs) when the authentication fails.

Thanks for your quick response !

yes, we do use SSO with Kerberos. As I have disclosed, the configuration with Apache2 server is same as we earlier used and it's never changed.

But, we are now not encrypted with below types included in the keytab that is required to be configured in the Redhat Linux Server.

Weak encryptions:

DES-CBC-CRC | DES-CBC-MD5 | RC4-HMAC-NT

Also, I think we can't debug the application as of now we are getting Page can't be reached / Internal Server Error on webpage.

Could you provide the info related to the encryption types so that it would be authenticated by the KDC with below encryption types? Or how we will overcome with above error on webpage?

Strong encryptions:

AES256-SHA1 | AES128-SHA1

For the records, MediaWiki 1.25.3 is an ancient unsupported software version with a good number of security issues. See https://www.mediawiki.org/wiki/Download and https://www.mediawiki.org/wiki/Manual:Upgrading

For the information, earlier we did not experienced such Kerberos issues with installed MediaWiki 1.25.3. And we are coming with plan to upgrade MediaWiki 1.27.3 LTS version after fix the authentication issue.

Also, it's the issue with server level authentication(Kerberos) not with application level configuration.

The Scenario is like we are getting TGT from KDC while we initialize the keytab. But, its not authorized by Kerberos GSS-API and logged below error in the server.

"- kerb_authenticate_user entered with user (NULL) and auth_type Kerberos

- Acquiring creds for SPN : xxxxxxx

- Verifying client data using KRB5 GSS-API

- Client didn't delegate us their credential

- Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration."

As I already disclosed, weak encryption types are against the corporate policy and we are now unable to use them. Since then we are putting in such kerberos authentication issue.

If you could help in this regards ? or you could delegate same issue to the responsible Kerberos tech team to get the possible solution?

Thanks in Adv,

Sanjay

The problem is with Apache, not MediaWiki (everything Kerberos-related configuration you have is probably in apache config files, not MediaWiki). You should ask in an apache forum where they should have better knowledge about the different encryption options you have.