Kerberos fails when accessing site by IP address

Question

Problems appear when accessing Kerberos protected site by IP address. For example:

http:/10.10.1.x:3001/ gives failure.

http:/my-host:3001/ sso is completes successfully.

Apache error logs say:

src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for [email protected] [client 10.10.1.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)

src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned code 0

As you could see Kerberos tries to find [email protected] or HTTP@my-host principals. For both principals created dummy accounts in ActiveDirectory. In keytab file also included both of them:

KVNO Timestamp         Principal
---- ----------------- -----------------------------------------------------
   5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

  11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

Kinit works for both of them.

Kerberos config on server:

   Krb5Keytab /etc/krb5.keytab
   AuthType Kerberos
   KrbMethodNegotiate On
   AuthName "Kerberos Login"
   KrbAuthRealms MY_DOMAIN.LAN
   KrbVerifyKDC Off
   KrbMethodK5Passwd On
   Require valid-user

Someone could guess where the problem is? Is it possible to use IP address in Kerberos SSO?

Answer 1

Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.

Answer 2

In a Microsoft KB article it says that is by design:

https://support.microsoft.com/en-ca/kb/322979

The title of the above KB is: Kerberos is not used when you connect to SMB shares by using IP address