kerberos service (httpd using mod_auth_kerb) in DMZ

FM dist-list at LEXUM.UMontreal.CA
Mon Nov 14 15:44:42 EST 2005


Thank you, I'll use HTTP as service name
there a PXI firewall but for now all ports are open from the server to 
kerberos server and there is non nat.
Do I also need a princ host/... ? For now I just have the HTTP/


Achim Grolms wrote:

>On Monday 14 November 2005 20:43, you wrote:
>  
>
>>Thanks for the reply,
>>    
>>
>
>  
>
>>you can use http if you add tu http conf :  KrbServiceName  "http"
>>    
>>
>
>Yes, but you have to configure the Browser, too.
>Internet Exploder *always* sends "HTTP".
>That means "HTTP" is a de-facto standard if you
>don't want to exclude IE-Browsers from HTTP-Authentication.
>
>Have a look at 
><http://www.kerberosprotocols.org/index.php/Draft-brezak-spnego-http-03.txt>:
>
>"When the Kerberos Version 5 GSSAPI mechanism [RFC-1964] is being 
>used, the HTTP server will be using a principal name of the form of 
>"HTTP/".
>
>BTW: is there a HTTP-proxy between Client and kerberized HTTP-Server?
>
>Achim
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>


More information about the Kerberos mailing list