MIT Kerberos problem with Windows clients
Greg Hudson
ghudson at MIT.EDU
Fri Jan 17 15:53:19 EST 2014
On 01/17/2014 08:02 AM, Morgan Patou wrote:
> [Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1401): [client < VPN Internal IP>] Client delegated us their credential
[...]
> It's just like if firefox have to give the ticket to the Apache for each element that have to be loaded in the browser (css, images, js, ...). So the page take at least 5 minutes to be completely loaded.
Yeah, traditional Kerberos ticket delegation and HTTP negotiate auth do
not mix well. The client fetches a fresh TGT from the KDC for each
delegation, adding a bunch of round trips to each HTTP request.
If the server does not need a delegated TGT, then just remove the
network.negotiate-auth.delegation-uris setting in Firefox and you should
get dramatically better performance. If the server does need a
delegated TGT in order to act on the client's behalf for some other
service, then perhaps you can restrict the delegation-uris setting to
just the URLs where a TGT is needed.
More information about the Kerberos
mailing list