Using kerberos ticket on web browsers
Tim Alsop
Tim.Alsop at CyberSafe.Com
Tue Dec 5 14:41:23 EST 2006
Diego,
It is not possible to configure IE to use anything other than LSA for getting credentials, however Firefox can be configure to use a GSS-API library, so you can configure Firefox to use the MIT gss dll and then it can access credentials obtained by your GINA.
To find out how to configure Firefox, look in help or let me know if you get stuck.
Thanks,
Tim
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Diego Lima
Sent: 05 December 2006 19:32
To: Julio Cesar Parra/Mexico/IBM; Kerberos Mail List
Subject: Re: Using kerberos ticket on web browsers
Hello again,
We don't have any windows AD server on the network (actually, we have no
Windows servers, AD or not). Currently we get our tickets from a Debian
server configured with a Samba+OpenLDAP+MIT Kerberos. While windows doesn't
get a ticket at logon, we use a combination of MIT for Windows and a custom
GINA to acquire the tickets from our Kerberos KDC.
These tickets are stored in two places: a file on a network share and the
MIT API krb5cc; We have no tickets in the LSA, which (I believe) is where IE
and Firefox are trying to get the tickets from, and we need to point them
towards either ticket location (file or API).
Thank you,
--
Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)
On Tue, 5 Dec 2006 11:33:56 -0600, Julio Cesar Parra/Mexico/IBM wrote
> Hi maybe these steps can help you with you problem.
>
> If you are logging into an win AD server that is not on the same
> domain as the webserver, you must do the following on the client
> PC's Broswer to trust that site (so it sends kerb ticket)
>
> 1.In Internet Explorer, click Tools, and then click Internet Options.
>
> 2.Click the Security tab, then click Local intranet, then click
> Sites, and then click Advanced.
>
> 3.In the Add this Web site to the zone: text box, type the name of
> the website you want to authenticate to with Kerberos authentication,
> and then click Add.
>
> 4.Click OK.
>
> Regards.
>
> * Carpe diem
> Julio Cesar Parra Uribe E-mail: jcparra at mx1.ibm.com
> T/L 877-2535 Ext phone: (5233)3669-7000 Ext. 2535
> Project Manager
> SY-KRB-CP-EZ-HFS-BATS-RC-MN-REXX
> TRCTCPAPP-ISQL-QRY400 Guad Team.
--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list