http：/10.10.1.x：3001 /失败.

http：/ my-host：3001 / sso成功完成.

Apache错误日志说：

src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for@H_301_1@ HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred() Failed:@H_301_1@ Unspecified GSS failure. Minor code may provide more information (Key@H_301_1@ table entry not found)

src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for@H_301_1@ HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x]@H_301_1@ Verifying client data using KRB5 GSS-API [debug]@H_301_1@ src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned@H_301_1@ code 0

正如您所见,Kerberos尝试查找HTTP@10.10.1.x或HTTP @ my-host主体.两个主体都在ActiveDirectory中创建了虚拟帐户.在keytab文件中还包括它们：

KVNO Timestamp         Principal
---- ----------------- -----------------------------------------------------
   5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

  11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

Kinit适用于他们两个.

服务器上的Kerberos配置：

Krb5Keytab /etc/krb5.keytab
   AuthType Kerberos
   KrbMethodNegotiate On
   AuthName "Kerberos Login"
   KrbAuthRealms MY_DOMAIN.LAN
   KrbVerifyKDC Off
   KrbMethodK5Passwd On
   Require valid-user

有人可以猜到问题出在哪里了吗？是否可以在Kerberos SSO中使用IP地址？