Determining the Kerberos domain in HTTP

"Martin v. Löwis" martin at v.loewis.de
Tue Dec 27 11:18:34 EST 2005


How should a web browser determine the domain
in the SPN? More specifically, how does IE6 determine
the domain.

In our scenario, we have two AD domains: B.com,
and A.B.com. There is a unidirectional trust: A.B.com
trusts B.com. The web server is www.A.B.com; it
has a servicePrincipalName mapping in the Active
Directory, with a SPN of HTTP/www.a.b.com

A user foo at A.B.COM can readily authenticate to
the webserver.

Also, with MIT Kerberos on Linux, a user which
has a tgt for bar at B.COM can authenticate to the
webserver.

Unfortunately, bar at B.COM, can NOT authenticate
to the webserver with IE6, and neither with
Mozilla Firefox, using SSPI.

My guess is that SSPI tries to obtain a ticket
for HTTP/www.a.b.com at B.COM, when it should ask
for a ticket for HTTP/www.a.b.com at A.B.COM
(which it would get).

How can I tell IE6/SSPI/SPNEGO to go to a
different KDC for authentication?

TIA,
Martin



More information about the Kerberos mailing list