windows browsers send ntlm instead of kerberos tokens
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Aug 29 10:28:35 EDT 2005
By default, Firefox will only perform GSSAPI (negotiate-auth) authentication
when the protocol is 'https://'.
Check the "network.negotiate-auth.delegation-uris" and
"network.negotiate-auth.trusted-uris" parameters (under "about:config") and
make sure that you allow "http://" as well as "https://" if you are
accessing
non-SSL protected sites.
network.negotiate-auth.delegation-uris = "https://,http://"
network.negotiate-auth.trusted-uris = "https://,http://"
-Wyllys
Julien ALLANOS wrote:
> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>> support. If you want them to have Kerberos credentials, Windows must
>>>> obtain them for you when you login to Windows using an Active
>>>> Directory
>>>> account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the
>>> Kerberos
>>> credentials at login, that FF or IE might be able to use after?
>>
>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>
More information about the Kerberos
mailing list