kerberos/spnego sso

Michael B Allen mba2000 at ioplex.com
Tue Sep 5 15:26:41 EDT 2006


On Mon, 4 Sep 2006 13:31:58 -0700 (PDT)
John User <johnuser755 at yahoo.com> wrote:

> I am having no luck setting up kerberos/spnego sso:
> The players:
> 
> win2k3 AD box
> win xp client running IE 6 and latest firefox
> Weblogic 8.1 on a redhat box.
> Client trying to access resource on WLS:
> 
> tcpdump shows WLS sending "WWW-Authenticate :
> Negotiate" in response to request for the protected
> resource from IE (and firefox)
> Neither IE nor firefox make any attempt to get a
> session ticket, - though they do send something
> encrtpted back in response.

The client probably already had the ticket so no comm. with KDC was
necessary. You should see the client submit 'Authorization: Negotiate
YIIExka83jsmd...more base64 encoded data'.

> There is no other
> WWW-Authenticate header being sent.
> klist shows the client machine does have a tgt.
> Any hints on how to debug, or has anyone had a similar
> experience??
> I have gone through all of the basic documented steps:
> creation of AD user for WL box, keytabfiles, JAAS
> config files... and the various changes on client
> browsers. 

Sounds like it could be working. What exactly indicates to you that it
is not?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/



More information about the Kerberos mailing list