Using kerberos ticket on web browsers
Diego Lima
diego-lima at prodesan.com.br
Wed Dec 6 09:15:05 EST 2006
On Tue, 5 Dec 2006 19:41:23 -0000, Tim Alsop wrote
> It is not possible to configure IE to use anything other than LSA
> for getting credentials, however Firefox can be configure to use a
> GSS-API library
Thank you for your tip, I was able to find some documents regarding
configuring firefox by searching "firefox gss-api" on google. I've set the
following options on about:config :
network.negotiate-auth.gsslib C:\Arquivos de
programas\MIT\Kerberos\lib\i386\gssapi32.lib
network.negotiate-auth.trusted-uris http://, https://
network.negotiate-auth.using-native-gsslib false
I've got a valid ticket on krb5cc but I'm still getting permission denied on
the protected webpage, although I can access it from a linux machine using the
same principal.
I've sniffed the packets and I see that firefox is answering the negotiate
request with a "NTLMSSP_NEGOTIATE" request, whereas on linux I don't see the
NTLMSSP part.
Here is the answer firefox gives:
!FE_2@?Po)whP@$GET /apache2-default/protegido HTTP/1.1
Host: 192.168.130.222
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1)
Gecko/20061010 Firefox/2.0
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
NTLMSSP(
I have already tried to restart firefox but I'm still getting this error. I
have tried to acquire other tickets, but I get the same error, even with the
same negotiate identification (if that's indeed some kind of id).
Am I missing something? Do I have to configure MIT's gss api with anything
other than krb5.ini on my windows directory?
--
Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)
--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.
More information about the Kerberos
mailing list