Using kerberos ticket on web browsers

Tim Alsop Tim.Alsop at CyberSafe.Com
Wed Dec 6 11:22:27 EST 2006


Diego,

What URL are you using when you request access to the web site ? E.g. if you enter http://server.domain.com, the browser will request a service ticket called HTTP/server.domain.com@<DEFAULT-REALM>. Perhaps you can check if the cache on workstation contains this ticket after you attempt to logon ?

Thanks,
Tim

-----Original Message-----
From: Diego Lima [mailto:diego-lima at prodesan.com.br] 
Sent: 06 December 2006 14:15
To: Tim Alsop; Julio Cesar Parra/Mexico/IBM; Kerberos Mail List
Subject: RE: Using kerberos ticket on web browsers

On Tue, 5 Dec 2006 19:41:23 -0000, Tim Alsop wrote

> It is not possible to configure IE to use anything other than LSA 
> for getting credentials, however Firefox can be configure to use a 
> GSS-API library

Thank you for your tip, I was able to find some documents regarding
configuring firefox by searching "firefox gss-api" on google. I've set the
following options on about:config :

network.negotiate-auth.gsslib                     C:\Arquivos de
programas\MIT\Kerberos\lib\i386\gssapi32.lib
network.negotiate-auth.trusted-uris               http://, https://
network.negotiate-auth.using-native-gsslib        false

I've got a valid ticket on krb5cc but I'm still getting permission denied on
the protected webpage, although I can access it from a linux machine using the
same principal.

I've sniffed the packets and I see that firefox is answering the negotiate
request with a "NTLMSSP_NEGOTIATE" request, whereas on linux I don't see the
NTLMSSP part.

Here is the answer firefox gives: 

!FE_2@?Po)whP@$GET /apache2-default/protegido HTTP/1.1
Host: 192.168.130.222
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1)
Gecko/20061010 Firefox/2.0
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
NTLMSSP(

I have already tried to restart firefox but I'm still getting this error. I
have tried to acquire other tickets, but I get the same error, even with the
same negotiate identification (if that's indeed some kind of id).

Am I missing something? Do I have to configure MIT's gss api with anything
other than krb5.ini on my windows directory?
--

Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)


-- 

Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.





More information about the Kerberos mailing list