Topic: sso glpi

I am trying to enable single sign on in glpi

Server is ubuntu 14.04.
Glpi version 9.1.2

Configuration i followed

https://www.johnthedeveloper.co.uk/sing … php-ubuntu

My configuration

<VirtualHost *:80>
Alias /glpi /usr/share/glpi

        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName glpi.clarebout.com

        ServerAdmin [email protected]
        DocumentRoot /usr/share/glpi

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/glpinieuwerror.log
        CustomLog ${APACHE_LOG_DIR}/glpinieuwaccess.log combined
        <Directory /usr/share/glpi>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
                Allow from all
<IfModule !auth_kerb_module>
  <Directory "/usr/share/glpi">
   Require all denied

 <IfModule auth_kerb_module>
  <Directory "/usr/share/glpi">
   AuthType Kerberos
   AuthName "glpi"
   Krb5Keytab /etc/kerberos.keytab
   KrbAuthRealms clarebout.local
   Require valid-user
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


[auth_kerb:error] [pid 10553] [client] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/localhost@)

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Anybody have an idea why its not working?


Re: sso glpi

Nobody who has any experience with this?


Re: sso glpi

Sure you registered the SPN for your server?


Re: sso glpi

Do you mean craeting a keytab?
I created a keytab with this command on the active directory server.

I alltered the login info.

ktpass -princ [email protected] -mapuser [email protected] -pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos.keytab


Re: sso glpi

KrbAuthRealms clarebout.local
must be identical domain for [email protected]

must be:
KrbServiceName [email protected]


Re: sso glpi

I'm sorry i just copyed the command from the guide.

The command i used to create the keytab was this:

ktpass -princ [email protected] -mapuser [email protected] -pass xxxx -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\tmp\kerberos.keytab


Re: sso glpi

-crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out c:\keytab.it


Re: sso glpi

Ok when i try this i get this screen:


Then i enter my ad credentials glpi then proceeds to this screen.



Re: sso glpi

may be this?