windows browsers send ntlm instead of kerberos tokens
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Aug 29 11:28:34 EDT 2005
On Monday, August 29, 2005 10:28:35 -0400 Wyllys Ingersoll
<wyllys.ingersoll at sun.com> wrote:
>
> By default, Firefox will only perform GSSAPI (negotiate-auth)
> authentication
> when the protocol is 'https://'.
>
> Check the "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
> and
> make sure that you allow "http://" as well as "https://" if you are
> accessing
> non-SSL protected sites.
>
> network.negotiate-auth.delegation-uris = "https://,http://"
> network.negotiate-auth.trusted-uris = "https://,http://"
Aaaa! No! Don't do this unless you _absolutely_ need this ability.
Running HTTP negotiate over a plaintext connection is _not secure_. It
provides no integrity protection and is subject to a relatively easy
man-in-the-middle attack.
If the problem is indeed that the connection is not using SSL, the correct
solution is to change that service to use SSL.
If you absolutely must use HTTP negotiate with a service that is not using
SSL and which you do not control, then turning on negotiate support for
non-SSL connections may be your only choice.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list