Apache Active Directory mod_authnz_ldap not working - apache

I have been trying to get AD auth on a virtualhost page working for the past several days, to no avail. Help...
CentOS 7
Apache 2.4.6
mod_ldap and mod_authnz_ldap installed and loading
<VirtualHost *:80>
DocumentRoot /var/www/wwwtest/public
ServerName wwwtest.example.com
ErrorLog logs/wwwtest.example.com-error_log
CustomLog logs/wwwtest.example.com-access_log common
<Directory /var/www/wwwtest/public>
Allow from all
Order Allow,Deny
Options Indexes MultiViews FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "login"
AuthBasicProvider ldap
AuthLDAPBindDN ldapuser#EXAMPLE.COM
AuthLDAPBindPassword ldappassword
AuthLDAPURL "ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindAuthoritative off
Require valid-user
</Directory>
</VirtualHost>
I have trace8 enabled in /etc/httpd/conf/httpd.conf
And this is what I see in /var/log/httpd/wwwtest.example.com-error.log
[Wed Oct 21 12:12:56.213178 2015] [http:trace4] [pid 20648] http_request.c(301): [client 172.16.250.250:49559] Headers received from client:
[Wed Oct 21 12:12:56.213263 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Host: wwwtest.example.com
[Wed Oct 21 12:12:56.213278 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
[Wed Oct 21 12:12:56.213284 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Oct 21 12:12:56.213289 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Language: en-US,en;q=0.5
[Wed Oct 21 12:12:56.213293 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Encoding: gzip, deflate
[Wed Oct 21 12:12:56.213297 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] DNT: 1
[Wed Oct 21 12:12:56.213301 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Connection: keep-alive
[Wed Oct 21 12:12:56.213305 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Cache-Control: max-age=0
[Wed Oct 21 12:12:56.213309 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Authorization: Basic RTAxMDEwMTAxOkNvbmNvcmRpYTIwMTU=
[Wed Oct 21 12:12:56.213530 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213556 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213644 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(501): [client 172.16.250.250:49559] AH01691: auth_ldap authenticate: using URL ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=edu?sAMAccountName?sub?(objectClass=user)
[Wed Oct 21 12:12:56.213705 2015] [authnz_ldap:trace1] [pid 20648] mod_authnz_ldap.c(522): [client 172.16.250.250:49559] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=TESTUSER))
[Wed Oct 21 12:12:56.215123 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.216479 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 1)
[Wed Oct 21 12:12:56.217336 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 2)
[Wed Oct 21 12:12:56.217358 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.217398 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.218332 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 3)
[Wed Oct 21 12:12:56.219355 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 4)
[Wed Oct 21 12:12:56.219392 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.219430 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.219444 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(539): [client 172.16.250.250:49559] AH01694: auth_ldap authenticate: user TESTUSER authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
[Wed Oct 21 12:12:56.219454 2015] [auth_basic:error] [pid 20648] [client 172.16.250.250:49559] AH01618: user TESTUSER not found: /
[Wed Oct 21 12:12:56.219469 2015] [core:trace3] [pid 20648] request.c(119): [client 172.16.250.250:49559] auth phase 'check user' gave status 401: /
[Wed Oct 21 12:12:56.219530 2015] [http:trace3] [pid 20648] http_filters.c(992): [client 172.16.250.250:49559] Response sent with status 401, headers:
[Wed Oct 21 12:12:56.219532 2015] [http:trace5] [pid 20648] http_filters.c(999): [client 172.16.250.250:49559] Date: Wed, 21 Oct 2015 19:12:56 GMT
[Wed Oct 21 12:12:56.219534 2015] [http:trace5] [pid 20648] http_filters.c(1002): [client 172.16.250.250:49559] Server: Apache/2.4.6 (CentOS)
[Wed Oct 21 12:12:56.219536 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] WWW-Authenticate: Basic realm=\\”login\\”
[Wed Oct 21 12:12:56.219538 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Length: 381
[Wed Oct 21 12:12:56.219540 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Keep-Alive: timeout=5, max=100
[Wed Oct 21 12:12:56.219541 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Connection: Keep-Alive
[Wed Oct 21 12:12:56.219542 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Type: text/html; charset=iso-8859-1
I can do ldapsearch with these credentials and it returns user objects from our DC, so the credentials are correct. I ran Wireshark on the DC. It never saw any LDAP packets from this web server. I ran tcpdump on the web server and it never sent any LDAP packets when I attempted to auth...
We got AD auth via PHP working in like 10 minutes, but I had previously been working on this for days...so sure, it auth works now, but I want to know why mod_ldap and mod_authnz_ldap aren't working...or...what isn't working.
Also, I'm kinda new with Apache...so the problem is more than likely something I'm misunderstanding.
Thanks in advance.
UPDATE: Apparently it works just fine in Debian. (Apache 2.2.22, bu still) sigh


SOLVED: Clearly I'm still new at Linux as well.
It was, of course, an issue with SELinux. Even though I had set it from Enforcing to Permissive (and then eventually to Disabled), I didn't know that the only way to make that change is apparently by rebooting (or, setenforce 0). Rebooted, and it all worked fine because SELinux was now disabled. I then found that SELinux logs are at /var/log/audit/audit.log. There, were a bunch of:
type=AVC msg=audit(1445466425.176:1849): avc: denied { name_connect } for pid=21184 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
So to allow httpd to access ldap, I followed this post which says:
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> off
# setsebool httpd_can_connect_ldap 1
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> on
After that, auth worked perfectly with Firewalld enabled and with SELinux Enforcing. That also explains why a tcpdump showed no ldap bind attempts.
So yeah, hopefully this helps out anyone else that may have been stuck.
Bottom line: learn more about SELinux.

Related

How to handle different servernames with SPN, apache2 on OpenShift, and kerberos SSO auth

I'm trying to create a generic apache2 webserver as an authentication "gateway".
Scenario:
Someone browses to spn-servername.active-directory.int/secure, apache should try to use kerberos to verify the user (best case with SSO) and redirect him to a backend / another webservice.
It works to the point where the auth and SSO are successful but I don't know how to generalize it for different containers on OpenShift and use the same Active Directory user.
The problem is, if I change the servername of the container and the apache conf servername, auth still works but SSO fails. I guess it's because the SPN of the active directory user and the servername are different?
I want to deploy different applications with different servernames without changing the user/keytab.
What is the best practice to configure multiple apache authentication gateways with different hostnames but with the same Active Directory user?
000default.conf
<VirtualHost *:80>
ServerName generic-hostname.active-directory.int
DocumentRoot "/var/www/html"
<IfModule !mod_auth_kerb.c>
LoadModule auth_gssapi_module /usr/lib/apache2/modules/mod_auth_gssapi.so
</IfModule>
LimitRequestFieldSize 32768
<Location "/secure">
AuthType GSSAPI
AuthName "GSSAPILogin"
GssapiBasicAuth On
GssapiCredStore keytab:/etc/http.keytab
require valid-user
</Location>
LogLevel debug
ErrorLog /var/log/apache2/sso.test.local-error.log
CustomLog /var/log/apache2/sso.test.local-access.log combined
</VirtualHost>
keytab generation:
ktpass -princ HTTP/spn-servername.active-directory.int#active-directory.int -mapuser sysaccount99#active-directory.int -pass mysecret -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\Temp\http.keytab
Active Directory user:
displayName: sysaccount99
sAMAccountName: sysaccount99
userPrincipalName: HTTP/spn-servername.active-directory.int#active-directory.int
servicePrincipalName: : HTTP/spn-servername.active-directory.int#active-directory.int and HTTP/spn-servername.active-directory.int
/var/log/apache2/sso.test.local-error.log if SSO not working:
[Wed Jan 08 14:00:11.964555 2020] [core:trace5] [pid 871:tid 139656674920192] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.964643 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.964649 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.964652 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.964655 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.964658 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.964661 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.964664 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] Connection: keep-alive
[Wed Jan 08 14:00:11.964667 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607] Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.964707 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964713 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964728 2020] [auth_kerb:debug] [pid 871:tid 139656674920192] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.964734 2020] [core:trace3] [pid 871:tid 139656674920192] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.964796 2020] [http:trace3] [pid 871:tid 139656674920192] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.964804 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1136): [client 192.168.56.1:55607] Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.964807 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1139): [client 192.168.56.1:55607] Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.964810 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607] WWW-Authenticate: Negotiate
[Wed Jan 08 14:00:11.964813 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607] WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.964816 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607] Content-Length: 479
[Wed Jan 08 14:00:11.964819 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607] Keep-Alive: timeout=5, max=100
[Wed Jan 08 14:00:11.964822 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607] Connection: Keep-Alive
[Wed Jan 08 14:00:11.964824 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607] Content-Type: text/html; charset=iso-8859-1
[Wed Jan 08 14:00:11.974410 2020] [core:trace5] [pid 871:tid 139656658134784] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.974456 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.974469 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.974473 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.974476 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.974479 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.974482 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.974484 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Connection: keep-alive
[Wed Jan 08 14:00:11.974487 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.974490 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607] Authorization: Negotiate TlRMLLVNTUAABAAKKl4II4gAAAAAAAABBBBBBBBAAAAGA4AlAAAADw==
[Wed Jan 08 14:00:11.974524 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974529 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974561 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.974598 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1722): [client 192.168.56.1:55607] Verifying client data using KRB5 GSS-API
[Wed Jan 08 14:00:11.974671 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1738): [client 192.168.56.1:55607] Client didn't delegate us their credential
[Wed Jan 08 14:00:11.974676 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1766): [client 192.168.56.1:55607] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Wed Jan 08 14:00:11.974681 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1159): [client 192.168.56.1:55607] GSS-API major_status:00010000, minor_status:00000000
[Wed Jan 08 14:00:11.974688 2020] [auth_kerb:error] [pid 871:tid 139656658134784] [client 192.168.56.1:55607] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[Wed Jan 08 14:00:11.974696 2020] [core:trace3] [pid 871:tid 139656658134784] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.974712 2020] [http:trace3] [pid 871:tid 139656658134784] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.974716 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1136): [client 192.168.56.1:55607] Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.974718 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1139): [client 192.168.56.1:55607] Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.974722 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607] WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.974725 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607] Content-Length: 479
[Wed Jan 08 14:00:11.974731 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607] Keep-Alive: timeout=5, max=99
[Wed Jan 08 14:00:11.974734 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607] Connection: Keep-Alive
[Wed Jan 08 14:00:11.974737 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607] Content-Type: text/html; charset=iso-8859-1

Apache 2.4 Basic Authentication slow

I have a Debian Stretch server running Apache 2.4.
I want to use Basic Authentication to allow only a few users access to the served directory.
My configuration:
<Directory "/var/www/html">
AuthType Basic
AuthName "VPN Gateway Lpgin"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Options Indexes FollowSymLinks
AllowOverride None
<RequireAll>
Require ip 192.168.2.0/24
Require valid-user
</RequireAll>
</Directory>
This does work, but all requests now take over a minute to complete.
If I comment out the authentication line Require valid-user the requests are not slow at all.
[Tue Dec 25 11:29:08.272751 2018] [ssl:info] [pid 17970] [client 192.168.2.16:55447] AH01964: Connection to child 4 established (server localhost:443)
[Tue Dec 25 11:29:08.274989 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(532): AH00835: socache_shmcb_retrieve (0xf3 -> subcache 19)
[Tue Dec 25 11:29:08.275157 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(884): AH00849: match at idx=0, data=0
[Tue Dec 25 11:29:08.275267 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(907): AH00850: shmcb_subcache_retrieve discarding expired entry
[Tue Dec 25 11:29:08.275292 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(542): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Dec 25 11:29:08.275632 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2115): [client 192.168.2.16:55447] AH02043: SSL virtual host for servername localhost found
[Tue Dec 25 11:29:08.275965 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2115): [client 192.168.2.16:55447] AH02043: SSL virtual host for servername localhost found
[Tue Dec 25 11:29:08.276057 2018] [core:debug] [pid 17970] protocol.c(2219): [client 192.168.2.16:55447] AH03155: select protocol from , choices=h2,h2-16,h2-15,h2-14,spdy/3.1,spdy/3,http/1.1 for server localhost
[Tue Dec 25 11:29:08.475832 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x0a -> subcache 10)
[Tue Dec 25 11:29:08.475990 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 25 11:29:08.476020 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/198
[Tue Dec 25 11:29:08.476044 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 25 11:29:08.476100 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2042): [client 192.168.2.16:55447] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Dec 25 11:29:08.477457 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(366): [client 192.168.2.16:55447] AH02034: Initial (No.1) HTTPS request received for child 4 (server localhost:443)
[Tue Dec 25 11:29:08.478096 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:08.478225 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:08.478257 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:08.478281 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:29:26.504306 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:26.504552 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:29:26.504589 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:29:26.504620 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:29:26.505318 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:26.505459 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:26.505490 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:26.506120 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:29:44.539755 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:44.539958 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:29:44.539994 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:29:44.540022 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:29:44.541340 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:44.541494 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:44.541583 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:44.541615 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:30:02.576180 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:30:02.576362 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:30:02.576396 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:30:02.576426 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:30:05.134078 2018] [deflate:debug] [pid 17970] mod_deflate.c(853): [client 192.168.2.16:55447] AH01384: Zlib: Compressed 13343 to 2899 : URL /index.php
[Tue Dec 25 11:30:10.141799 2018] [ssl:debug] [pid 17970] ssl_engine_io.c(1044): [client 192.168.2.16:55447] AH02001: Connection closed to child 4 with standard shutdown (server localhost:443)
It seems to get stuck on authentication but I do not know why.
Tested different browsers and all of them display slow loading if Basic Authentication is enabled.
How to debug this?
EDIT: I also noticed Apache's CPU usage going through the roof hogging 100% while authenticating.

Try moving the Require Valid user outside the Require all
Example
<Location "/secure">
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
Order Allow,Deny
Deny from all
Satisfy Any
</Location>
Source reference material used

Apache2 slow basic auth / slow .htpasswd
it is because you using slow algoritm for password, just use md5 simple algoritm
htpasswd -c -m file login

my Apache slowed it downed because of the bcrypt encryption of 17 times
htpasswd -B -C 17 -n RDG
(encypt with bcrypt 17 times and display the results on stdout which is the terminal for user RDG)
htpasswd -B -C 5 -n RDG
(encypt with bcrypt 5 times and display the results on stdout which is the terminal for user RDG)
When i take the RDG user with the 5 times encrypted password then Apache response as fast as usual. All other answers above didn't work for me.

Random Internal Server Error 500 after apache and system update

I'm not 100% sure that the real source of the problem is apache (could be php or other), but I'd like start from here as the only logs that provides me with information (with trace4 level) is apache log. No information appears from other logs.
I have:
- Linux 4.7.4-100.fc23.x86_64
- Server version: Apache/2.4.23 (Fedora)
- mysql Ver 15.1 Distrib 10.0.26-MariaDB, for Linux (x86_64) using readline 5.1
- PHP Version => 5.6.25
The problem: random internal server error 500. Random because, for example, if a page produces the error and do "reload" then it works. The same page may not work as well as work. Sometimes you can use the site for several minutes with no problems, then suddenly there is the error.
When error occurs, this is all that I get from the log file (with loglevel = trace4):
[...]
[Fri Sep 30 07:41:39.151052 2016] [rewrite:trace3] [pid 17957:tid 140241771534080] mod_rewrite.c(477): [client 151.25.206.200:38368] 151.25.206.200 - - [www.centrometeo.com/sid#55c3e3673400][rid#7f8c8000e9d0/subreq] [perdir /home/web/centrometeo.com/] applying pattern '.*' to uri 'index.php', referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.151092 2016] [rewrite:trace1] [pid 17957:tid 140241771534080] mod_rewrite.c(477): [client 151.25.206.200:38368] 151.25.206.200 - - [www.centrometeo.com/sid#55c3e3673400][rid#7f8c8000e9d0/subreq] [perdir /home/web/centrometeo.com/] pass through /home/web/centrometeo.com/index.php, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913003 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(567): [client 151.25.206.200:38368] Headers from script 'php.fcgi':, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913097 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(568): [client 151.25.206.200:38368] Status: 500 Internal Server Error, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913130 2016] [core:trace1] [pid 17957:tid 140241771534080] util_script.c(649): [client 151.25.206.200:38368] Status line from script 'php.fcgi': 500 Internal Server Error, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913162 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(568): [client 151.25.206.200:38368] X-Powered-By: PHP/5.6.26, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913191 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(568): [client 151.25.206.200:38368] P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913218 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(568): [client 151.25.206.200:38368] Content-Encoding: gzip, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913246 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(568): [client 151.25.206.200:38368] Vary: Accept-Encoding, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913275 2016] [core:trace4] [pid 17957:tid 140241771534080] util_script.c(568): [client 151.25.206.200:38368] Content-type: text/html; charset=UTF-8, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913395 2016] [http:trace3] [pid 17957:tid 140241771534080] http_filters.c(1006): [client 151.25.206.200:38368] Response sent with status 500, headers:, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913432 2016] [http:trace4] [pid 17957:tid 140241771534080] http_filters.c(835): [client 151.25.206.200:38368] X-Powered-By: PHP/5.6.26, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913458 2016] [http:trace4] [pid 17957:tid 140241771534080] http_filters.c(835): [client 151.25.206.200:38368] P3P: CP=\\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\\", referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[Fri Sep 30 07:41:39.913481 2016] [http:trace4] [pid 17957:tid 140241771534080] http_filters.c(835): [client 151.25.206.200:38368] Content-Encoding: gzip, referer: http://www.centrometeo.com/modelli-numerici/modello-wrf-nmm/559-wrf-mslp-6hprec-ita
[...]
Note the use of fcgi. Apache is indeed configured with event/php-fpm/FastCGI, but the same thing happens with "normal" prefork / php!
Until a few days ago it did not happen, it started after updating the system (kernel, apache, php, mariadb).
I do not really know what to do.
Thank you very much.
Additional information:
/var/log/httpd/error_log, at "crash time":
[Fri Sep 30 19:09:03.897325 2016] [mpm_event:trace4] [pid 30339:tid 139796798162688] event.c(930): socket reached timeout in lingering-close state

Apache Kerberos not Authenticating from Windows Client

With a number of great websites for reference, I setup an Apache 2.4 environment on Solaris 11 using the auth_gss_module for Kerberos authentication. The problem I have is not being able to access an authorized page using IE, Chrome, or Firefox on Windows 7 or Windows Server 2008. I have been successful accessing the secured page with curl and python scripts and also Safari and Firefox browsers on OS X 10.10. I have listed output from both successful and failed attempts with Kerberos authentication. I am not sure if it might be a configuration setting within AD that needs to be changed or maybe a encryption difference. I am looking for suggestions on what to do next. Thank you..
A key tab was created for me by the AD admin and this is the contents of the key tab
cyoull#host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab
Keytab name: FILE:host0ad903_keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
On OS X, this is the list of kerberos tickets from the klist command.
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
Principal: cyoull#ABC.DEF.NET
Issued Expires Principal
Sep 25 07:22:52 2015 Sep 25 17:22:40 2015 krbtgt/ABC.DEF.NET#ABC.DEF.NET
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
Principal: cyoull#ABC.DEF.NET
Issued Expires Principal
Sep 25 07:22:52 2015 Sep 25 17:22:40 2015 krbtgt/ABC.DEF.NET#ABC.DEF.NET
Sep 25 07:23:06 2015 Sep 25 17:22:40 2015 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
Valid starting Expires Service principal
18/09/2015 10:17 18/09/2015 20:17 krbtgt/ABC.DEF.NET#ABC.DEF.NET
renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC
18/09/2015 10:17 18/09/2015 20:17 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
This is the Apache log after successfully accessing the secured page with Kerberos authentication from Safari on OS X
[Fri Sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] No authentication data found
[Fri Sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called
[Fri Sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] Client wants GSS mech: spnego
[Fri Sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: HTTP#host0ad903.abc.def.net
[Fri Sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] Authenticated user (final result) : cyoull#ABC.DEF.NET
This is the Apache log file after a successful attempt with a Python script on Windows Server 2008
[Thu Sep 17 16:29:48.890889 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.890900 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(632): [client 10.115.2.117:50526] No authentication data found
[Thu Sep 17 16:29:48.890909 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(592): [client 10.115.2.117:50526] note_gss_auth_failure: auth_name = <undefined>
[Thu Sep 17 16:29:48.908047 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.908056 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(334): [client 10.115.2.117:50526] authenticate_user_gss called
[Thu Sep 17 16:29:48.908080 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(373): [client 10.115.2.117:50526] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Thu Sep 17 16:29:48.908188 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(411): [client 10.115.2.117:50526] Client wants GSS mech: kerberos_v5
[Thu Sep 17 16:29:48.908203 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(288): [client 10.115.2.117:50526] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Thu Sep 17 16:29:48.910360 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(438): [client 10.115.2.117:50526] got server creds for: HTTP/host0ad903.abc.def.net#ABC.DEF.NET
[Thu Sep 17 16:29:48.917847 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(524): [client 10.115.2.117:50526] Authenticated user before AuthGSSStripDomainAT: cyoull#ABC.DEF.NET
[Thu Sep 17 16:29:48.917863 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(533): [client 10.115.2.117:50526] Authenticated user before AuthGSSForceCase: coy
[Thu Sep 17 16:29:48.917873 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(549): [client 10.115.2.117:50526] Authenticated user (final result) : cyoull#ABC.DEF.NET
This is the Kerberos tickets on the Windows 7 client
U:\>klist
Current LogonId is 0:0xa84757
Cached Tickets: (2)
#0> Client: cyoull # ABC.DEF.NET
Server: krbtgt/ABC.DEF.NET # ABC.DEF.NET
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 9/25/2015 9:19:28 (local)
End Time: 9/25/2015 19:19:28 (local)
Renew Time: 10/2/2015 9:19:28 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: cyoull # ABC.DEF.NET
Server: HTTP/host0ad903.abc.def.net # ABC.DEF.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 9/25/2015 9:19:30 (local)
End Time: 9/25/2015 19:19:28 (local)
Renew Time: 10/2/2015 9:19:28 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Using the developer tools in Firefox I see three GET requests and in the apache log file it looks as if the kerberos negotiation tries more than once then fails with a 401 Unauthorized
[Fri Sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] No authentication data found
[Fri Sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: spnego
[Fri Sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: <unknown>
[Fri Sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP/host0ad903.abc.def.net#abc.def.net
[Fri Sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: Invalid token was supplied (Unknown error)
[Fri Sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>

Have you configured the web browsers on Windows to actually do HTTP Negotiate with this server? For example, in Firefox you need to set:
network.negotiate-auth.trusted-uris = abc.def.net
or another pattern that would match the URL. Chrome similarly has to be told to be willing to authenticate to the particular server, e.g. with:
--auth-server-whitelist="*.foo.com"
or via group policy.
If that’s not the problem, then please do this:
ipconfig /flushdns
klist purge
Run Wireshark and capture the HTTP, DNS, and Kerberos traffic during a failure (ports 80, 53, and 88).
Post the resulting pcap file.

Apache 2.4.6 mod_proxy_fcgi and PHP-FPM returning 404 error

I have PHP 5.3.3 with PHP-FPM running at 172.17.0.163:20533. I tested it with nginx and with cgi-fcgi:
$ SCRIPT_FILENAME=/www/localhost/test.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 172.17.0.163:20533
returns
X-Powered-By: PHP/5.3.3
Content-type: text/html
hello, it works!
So, PHP-FPM is working.
Unfortunately, Apache 2.4 has some issues with PHP-FPM:
<VirtualHost *>
UseCanonicalName Off
VirtualDocumentRoot "/www/%0"
RewriteEngine On
RewriteRule ^/(.*\.php(/.*)?)$ fcgi://172.17.0.163:20533/www/%{SERVER_NAME}/$1 [P]
</VirtualHost>
Opening http:// localhost/test.php returns a "404 Not found" error. Non PHP files are working. Looking at the apache error logs, everything looks fine.
[Fri Nov 15 18:53:00.426776 2013] [mpm_event:info] [pid 1959:tid 140474380953408] AH00490: Server built: Nov 13 2013 14:23:31
[Fri Nov 15 18:53:00.426787 2013] [core:notice] [pid 1959:tid 140474380953408] AH00094: Command line: '/usr/local/sbin/httpd'
[Fri Nov 15 18:53:00.426917 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.426950 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.427010 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3028 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:00.427101 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.427421 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.427445 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.427488 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3029 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:00.427129 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.428326 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3030 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:01.627599 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] init rewrite engine with requested uri /test.php
[Fri Nov 15 18:53:01.627664 2013] [rewrite:trace3] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] applying pattern '^/(.*\\.php(/.*)?)$' to uri '/test.php'
[Fri Nov 15 18:53:01.627718 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] rewrite '/test.php' -> 'fcgi://172.17.0.163:20533/www/localhost/test.php'
[Fri Nov 15 18:53:01.627747 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] forcing proxy-throughput with fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.627759 2013] [rewrite:trace1] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] go-ahead with proxy request proxy:fcgi://172.17.0.163:20533/www/localhost/test.php [OK]
[Fri Nov 15 18:53:01.627776 2013] [proxy_fcgi:trace1] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(90): [client 172.17.42.1:57951] canonicalising URL //172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.627776 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(120): [client 172.17.42.1:57951] AH01060: set r->filename to proxy:fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628070 2013] [proxy:trace2] [pid 3028:tid 140474150618880] proxy_util.c(1857): [client 172.17.42.1:57951] *: found reverse proxy worker for fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628082 2013] [proxy:debug] [pid 3028:tid 140474150618880] mod_proxy.c(1100): [client 172.17.42.1:57951] AH01143: Running scheme fcgi handler (attempt 0)
[Fri Nov 15 18:53:01.628096 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(944): [client 172.17.42.1:57951] AH01076: url: fcgi://172.17.0.163:20533/www/localhost/test.php proxyname: (null) proxyport: 0
[Fri Nov 15 18:53:01.628107 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(954): [client 172.17.42.1:57951] AH01078: serving URL //172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628134 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2020): AH00942: FCGI: has acquired connection for (*)
[Fri Nov 15 18:53:01.628147 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2072): [client 172.17.42.1:57951] AH00944: connecting //172.17.0.163:20533/www/localhost/test.php to 172.17.0.163:20533
[Fri Nov 15 18:53:01.628224 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2194): [client 172.17.42.1:57951] AH00947: connected /www/localhost/test.php to 172.17.0.163:20533
[Fri Nov 15 18:53:01.628248 2013] [proxy:trace2] [pid 3028:tid 140474150618880] proxy_util.c(2446): FCGI: fam 2 socket created to connect to *
[Fri Nov 15 18:53:01.629453 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(521): [client 172.17.42.1:57951] Headers from script 'test.php':
[Fri Nov 15 18:53:01.629552 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] Status: 404 Not Found
[Fri Nov 15 18:53:01.629583 2013] [proxy_fcgi:trace1] [pid 3028:tid 140474150618880] util_script.c(599): [client 172.17.42.1:57951] Status line from script 'test.php': 404 Not Found
[Fri Nov 15 18:53:01.629595 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] X-Powered-By: PHP/5.3.3
[Fri Nov 15 18:53:01.629608 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] Content-type: text/html
[Fri Nov 15 18:53:01.629680 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2035): AH00943: FCGI: has released connection for (*)
It seems as if mod_proxy_fcgi is not sending the script path correctly?! Has anyone an idea?
UPDATE 16 Nov 2013
I tested it with Apache 2.2.25 and mod_fastcgi 2.4.6:
<VirtualHost *>
UseCanonicalName Off
VirtualDocumentRoot "/www/%0"
AddHandler php5-fastcgi .php
FastCgiExternalServer /www/localhost -host 172.17.0.163:20533
</VirtualHost>
Works like a charm. I guess Apache 2.4.6 with mod_proxy_fcgi is buggy.
Update 17 Nov 2013
I tested it with Apache 2.4.6 and mod_proxy_fcgi and PHP 5.4.21. It works. So, there seems to be a problem with PHP 5.3.3 together with Apache 2.4.6 and mod_proxy_fcgi.

Using PHP 5.3.27 fixes all the issues.