kerberos/spnego sso
Markus Moeller
huaraz at moeller.plus.com
Tue Sep 5 17:55:03 EDT 2006
I guess you checked already the Browser configurations. (On IE Windows
Integrate authentication enabled and the domain added to the trusted or
local intranet zone, On firefox set network-negotiate-auth.trusted-uris
and/or network.negotiate-auth.delegation-uris). Check also with kerbtray if
you have a TGS for HTTP/hostname in the MS cache. If not you should see the
client sending a TGS_REQ to the kdc on port 88.
Regards
Markus
"John User" <johnuser755 at yahoo.com> wrote in message
news:20060904203158.55746.qmail at web55105.mail.re4.yahoo.com...
>I am having no luck setting up kerberos/spnego sso:
> The players:
>
> win2k3 AD box
> win xp client running IE 6 and latest firefox
> Weblogic 8.1 on a redhat box.
> Client trying to access resource on WLS:
>
> tcpdump shows WLS sending "WWW-Authenticate :
> Negotiate" in response to request for the protected
> resource from IE (and firefox)
> Neither IE nor firefox make any attempt to get a
> session ticket, - though they do send something
> encrtpted back in response. There is no other
> WWW-Authenticate header being sent.
> klist shows the client machine does have a tgt.
> Any hints on how to debug, or has anyone had a similar
> experience??
> I have gone through all of the basic documented steps:
> creation of AD user for WL box, keytabfiles, JAAS
> config files... and the various changes on client
> browsers.
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list