Using kerberos ticket on web browsers

Diego Lima diego-lima at prodesan.com.br
Wed Dec 6 09:15:05 EST 2006


On Tue, 5 Dec 2006 19:41:23 -0000, Tim Alsop wrote

> It is not possible to configure IE to use anything other than LSA 
> for getting credentials, however Firefox can be configure to use a 
> GSS-API library

Thank you for your tip, I was able to find some documents regarding
configuring firefox by searching "firefox gss-api" on google. I've set the
following options on about:config :

network.negotiate-auth.gsslib                     C:\Arquivos de
programas\MIT\Kerberos\lib\i386\gssapi32.lib
network.negotiate-auth.trusted-uris               http://, https://
network.negotiate-auth.using-native-gsslib        false

I've got a valid ticket on krb5cc but I'm still getting permission denied on
the protected webpage, although I can access it from a linux machine using the
same principal.

I've sniffed the packets and I see that firefox is answering the negotiate
request with a "NTLMSSP_NEGOTIATE" request, whereas on linux I don't see the
NTLMSSP part.

Here is the answer firefox gives: 

!FE_2@?Po)whP@$GET /apache2-default/protegido HTTP/1.1
Host: 192.168.130.222
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1)
Gecko/20061010 Firefox/2.0
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
NTLMSSP(

I have already tried to restart firefox but I'm still getting this error. I
have tried to acquire other tickets, but I get the same error, even with the
same negotiate identification (if that's indeed some kind of id).

Am I missing something? Do I have to configure MIT's gss api with anything
other than krb5.ini on my windows directory?
--
Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)


-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.




More information about the Kerberos mailing list