Determining the Kerberos domain in HTTP

Douglas E. Engert deengert at anl.gov
Tue Jan 3 17:46:32 EST 2006


This sounds like IE and sspi are using referrals:

http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-06.txt

where the client asks the KDC of the user's realm to refer the
client to the correct realm for the server. In AD it uses the Global
Catalog to find it in the forest.  I believe that there was some support
or patches for referrals in the Heimdal or MIT KDC. But no client
support yet that I know of.


Martin v. Löwis wrote:

> How should a web browser determine the domain
> in the SPN? More specifically, how does IE6 determine
> the domain.
> 
> In our scenario, we have two AD domains: B.com,
> and A.B.com. There is a unidirectional trust: A.B.com
> trusts B.com. The web server is www.A.B.com; it
> has a servicePrincipalName mapping in the Active
> Directory, with a SPN of HTTP/www.a.b.com
> 
> A user foo at A.B.COM can readily authenticate to
> the webserver.
> 
> Also, with MIT Kerberos on Linux, a user which
> has a tgt for bar at B.COM can authenticate to the
> webserver.
> 
> Unfortunately, bar at B.COM, can NOT authenticate
> to the webserver with IE6, and neither with
> Mozilla Firefox, using SSPI.
> 
> My guess is that SSPI tries to obtain a ticket
> for HTTP/www.a.b.com at B.COM, when it should ask
> for a ticket for HTTP/www.a.b.com at A.B.COM
> (which it would get).
> 
> How can I tell IE6/SSPI/SPNEGO to go to a
> different KDC for authentication?

You can't, but you could get the user's KDC to
handle referrals.

> 
> TIA,
> Martin
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list