Using kerberos ticket on web browsers

Diego Lima diego-lima at prodesan.com.br
Thu Dec 7 11:42:52 EST 2006 

I have set up a DNS server today and I still cannot use my kerberos tickets
from windows Firefox, although I can get my server to recognize and work
properly with Firefox and Konqueror running on Linux. I've taken the following
steps so far:

1. Set up my kerberos server
2. Set up my apache server to use kerberos authentication. I access it using
http://estagiario6.sso.com.br
3. Set up linux clients - they can get tickets and access the protected web page.
4. Set up windows clients - they are able to get tickets through kinit (both
MIT kinit and java kinit). I'll detail firefox configuration in a while.
5. Set up a DNS server. So far I had been using host names by placing them on
hosts files (both on windows and linux).
6. Tested linux clients again. They are working fine with the new DNS and can
acquire tickets and access the protected web page using those tickets.
7. Tested windows clients again. They can acquire tickets with kinit. But
Firefox still can't access the protected web page.


Here is what I've done on my windows clients:
1 - Install Kerberos for Windows 3.1 (also tested with 3.0 with no results)
from http://web.mit.edu/Kerberos/dist/kfw/3.1/kfw-3.1/kfw-3-1-0.exe

2- Install Firefox 2.0 (also tested with 1.5)
3- On Firefox about:config :
  network.auth.use-sspi  false (tried with true as well)
network.negotiate-auth.gsslib  C:\Arquivos de
programas\MIT\Kerberos\lib\i386\gssapi32.lib (also tried blank)
  network.negotiate-auth.trusted-uris  estagiario6.sso.com.br (also tried http://)
  network.negotiate-auth.using-native-gsslib  true (also tried false)

Whenever network.auth.use-sspi is true firefox sends NTLM authentication
request. It doesn't matter wether network.negotiate-auth.using-native-gsslib
is true or false. Whenever it's false, it won't even respond to the negotiate
request.

Changing network.negotiate-auth.gsslib doesn't seem to have any effect as
well. I've also tried with \bin\gssapi32.dll with no success. 

At least it respects network.negotiate-auth.trusted-uris and will only send
the request (even if it is trying to use NTLM) to the specified url(s).

There must be something wrong in my setup (obviously), but I'm sure it isn't
on the server side, since Linux clients are able to authenticate properly.
I've come to the conclusion that firefox is using NTLM by sniffing network
packets (I can send them if anyone is interested, but I don't think its relevant).

Thank you,


--
Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)


-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

More information about the Kerberos mailing list