Apache Kerberos令牌错误

我试图在我的apache上设置一个简单的文件目录共享，这是kerberized来处理KDC票证，

当我尝试通过工作站上的Chrome浏览器访问共享文件时，我在Apacche错误日志中收到这些错误，

Fri Dec 08 16:59:50.390610 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1598): [client 192.168.2.136:58703] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Dec 08 16:59:50.390657 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1230): [client 192.168.2.136:58703] Acquiring creds for HTTP/web01.CORP.local@CORP.LOCAL
[Fri Dec 08 16:59:50.392259 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1352): [client 192.168.2.136:58703] Verifying client data using KRB5 GSS-API 
[Fri Dec 08 16:59:50.392296 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1368): [client 192.168.2.136:58703] Client didn't delegate us their credential
[Fri Dec 08 16:59:50.392305 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1396): [client 192.168.2.136:58703] **Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.**
[Fri Dec 08 16:59:50.392312 2017] [auth_kerb:debug] [pid 8140] src/mod_auth_kerb.c(1091): [client 192.168.2.136:58703] GSS-API **major_status:00070000, minor_status:00000000**
[Fri Dec 08 16:59:50.392328 2017] [auth_kerb:error] [pid 8140] [client 192.168.2.136:58703] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)*


    ----------

我的公司AD上有一个Windows 10工作站，我的Apache在Centos 7上，httpd-2.4.10

我使用mksutil为我的Apache服务器创建了一个服务帐户，并将生成的keytab复制到Apache服务器上，/ etc / httpd /

到目前为止测试：

• 测试从Apache服务器到域的基本连接

[root@web01 /etc/httpd]# kinit first.last
    Password for first.last@CORP.LOCAL:
    [root@web01 /etc/httpd]#

• 检查是否在AD上生成了名为'web01.httpd'的公用事业帐户，并在那里，也通过KLIST进行检查

[root@web01 /etc/httpd]# klist -kte /etc/httpd/httpd.keytab
    Keytab name: FILE:/etc/httpd/httpd.keytab
    KVNO Timestamp         Principal
    ---- ----------------- --------------------------------------------------------
       2 12/08/17 10:16:28 web01.httpd@CORP.LOCAL (arcfour-hmac)
       2 12/08/17 10:16:28 web01.httpd@CORP.LOCAL (aes128-cts-hmac-sha1-96)
       2 12/08/17 10:16:28 web01.httpd@CORP.LOCAL (aes256-cts-hmac-sha1-96)
       2 12/08/17 10:16:28 HTTP/web01.CORP.local@CORP.LOCAL (arcfour-hmac)
       2 12/08/17 10:16:28 HTTP/web01.CORP.local@CORP.LOCAL (aes128-cts-hmac-sha1-96)
       2 12/08/17 10:16:28 HTTP/web01.CORP.local@CORP.LOCAL (aes256-cts-hmac-sha1-96)

3. check if KVNO shows a number,

[root@web01 /etc/httpd]# kvno HTTP/web01.CORP.local
        kvno HTTP/web01.corp.local@CORP.LOCAL
        HTTP/web01.corp.local@CORP.LOCAL: kvno = 2

4. checked my Apache config,

LoadModule auth_kerb_module /usr/lib64/httpd/modules/mod_auth_kerb.so

                
                    ServerName webfiles
                    ServerAlias webfiles.corp.local
                    DocumentRoot /opt/webfiles
                    LogLevel Debug
                    RewriteEngine On
                    RewriteCond %{HTTPS} off
                    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
                

                
                    ServerName webfiles
                    ServerAlias webfiles.corp.local
                    DocumentRoot /opt/webfiles

                    LogLevel Debug
                    ErrorLog /var/log/httpd/webfiles_error
                    CustomLog /var/log/httpd/webfiles_access common

                    SSLEngine On
                    SSLCertificateKeyFile   /etc/pki/tls/private/web01.CORP.local.pem
                    SSLCertificateFile      /etc/pki/tls/certs/web01.CORP.local.pem
                    SSLCertificateChainFile /etc/pki/ca-trust/source/anchors/CORP_intermediate_ca.crt


                    
                      AuthzSendForbiddenOnFailure On
                      Options +Indexes
                      AllowOverride None
                      Order allow,deny
                      Allow from all
                      AuthName "kerb access"
                      AuthType Kerberos
                      KrbAuthRealms CORP.LOCAL
                      KrbServiceName HTTP/web01.corp.local@CORP.LOCAL
                      Krb5KeyTab /etc/httpd/httpd.keytab
                      KrbMethodK5Passwd off
                      KrbLocalUserMapping on
                      KrbSaveCredentials on
                      SSLRequireSSL
                      #AuthGroupFile /etc/httpd/conf/httpd-access-groups
                      Require valid-user

5. checked the /etc/krb5.conf for proper domain info, it looks good,

[libdefaults]
             default_realm = CORP.LOCAL
             dns_lookup_realm = true
             dns_lookup_kdc = true
             ticket_lifetime = 10h
             renew_lifetime = 7d
             forwardable = true
             kdc_timesync = true
             ccache_type = 4
             proxiable = true
             fcc-mit-ticketflags = true
             default_keytab_name = FILE:/etc/krb5.keytab
             verify_ap_req_nofail = true

            [realms]
             CORP.LOCAL = {
              kdc = CORP.local
              admin_server = dom01.corp.local
             }

            [domain_realm]
             CORP.local     = CORP.LOCAL
             .CORP.local    = CORP.LOCAL
             .dr.CORP.local = CORP.LOCAL
             .test.local           = CORP.LOCAL
             .dmz.local            = CORP.LOCAL
             .prod.local           = CORP.LOCAL

不知道在哪里看，我的工作站Internet选项 - 本地站点 - 配置为对我的域进行身份验证，

仍然收到NTLM错误消息