windows browsers send ntlm instead of kerberos tokens
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Aug 29 11:31:54 EDT 2005
Jeffrey Hutzelman wrote:
>>
>> By default, Firefox will only perform GSSAPI (negotiate-auth)
>> authentication
>> when the protocol is 'https://'.
>>
>> Check the "network.negotiate-auth.delegation-uris" and
>> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
>> and
>> make sure that you allow "http://" as well as "https://" if you are
>> accessing
>> non-SSL protected sites.
>>
>> network.negotiate-auth.delegation-uris = "https://,http://"
>> network.negotiate-auth.trusted-uris = "https://,http://"
>
>
> Aaaa! No! Don't do this unless you _absolutely_ need this ability.
>
> Running HTTP negotiate over a plaintext connection is _not secure_.
> It provides no integrity protection and is subject to a relatively
> easy man-in-the-middle attack.
I totally agree with Jeff, that is why SSL is the default setting for
Firefox. I was just pointing
out one possible reason why the test was not working for the original
poster.
-Wyllys
More information about the Kerberos
mailing list