Using kerberos ticket on web browsers

Achim Grolms kerberosml at grolmsnet.de
Wed Dec 6 12:49:53 EST 2006


On Wednesday 06 December 2006 18:29, Diego Lima wrote:

> network.auth.use-sspi                      true

if true this means Firefox uses the Win32-API (calles SSPI).
Set this to false to use a 3rd party GSSAPI.
(automatically switches network.negotiate-auth.using-native-gsslib
 to 'true', this works like a flip-flop)

> network.negotiate-auth.gsslib              [path to
> KfW]\lib\i386\gssapi32.lib 

Never used this, blank in my setup.

>> network.negotiate-auth.trusted-uris        
> http://, https://

in my setup I put my local domains into it I am using
for GSSAPI-based Authentication.
As far as I know Kerberos5 always needs proper configured
hostnames (FQDNs in principals and keytabs), so putting in
your local DNS-domain(s) will be no problem. or?

BTW: does the kvno test work?
I am using it to detect if the underlying GSSAPI works
in general.

> network.negotiate-auth.using-native-gsslib false

Switch this to "true" to make KfW work.

> As far as I understood (I'm probably wrong at some point)
> negotiate-auth.gsslib should be telling which SSPI firefox should use,
> right? Do I need to change anything else?

This is blank in my setup.

Achim

-- 
using mod_auth_kerb and Windows 2000/2003 as KDC:
<http://www.grolmsnet.de/kerbtut/>



More information about the Kerberos mailing list