kerberos/spnego sso

John User johnuser755 at yahoo.com
Tue Sep 5 19:38:24 EDT 2006



--- Michael B Allen <mba2000 at ioplex.com> wrote:

> On Mon, 4 Sep 2006 13:31:58 -0700 (PDT)
> John User <johnuser755 at yahoo.com> wrote:
> 
> > I am having no luck setting up kerberos/spnego
> sso:
> > The players:
> > 
> > win2k3 AD box
> > win xp client running IE 6 and latest firefox
> > Weblogic 8.1 on a redhat box.
> > Client trying to access resource on WLS:
> > 
> > tcpdump shows WLS sending "WWW-Authenticate :
> > Negotiate" in response to request for the
> protected
> > resource from IE (and firefox)
> > Neither IE nor firefox make any attempt to get a
> > session ticket, - though they do send something
> > encrtpted back in response.
> 
> The client probably already had the ticket so no
> comm. with KDC was
> necessary. You should see the client submit
> 'Authorization: Negotiate
> YIIExka83jsmd...more base64 encoded data'.
>
 
klist on client shows no ticket to HTTP/hostname
If run under IE I get a logon screen. Under Firefox I
get nothing. 
I am assuming that the client is defaulting and
returning not spnego/kerberos, but spnego/NTLM.

One question I have is whether WebLogic needs to add
anything to "Negotiate"? Is this sufficient for IE to
run the default spnego/kerberos packets?


> > There is no other
> > WWW-Authenticate header being sent.
> > klist shows the client machine does have a tgt.
> > Any hints on how to debug, or has anyone had a
> similar
> > experience??
> > I have gone through all of the basic documented
> steps:
> > creation of AD user for WL box, keytabfiles, JAAS
> > config files... and the various changes on client
> > browsers. 
> 
> Sounds like it could be working. What exactly
> indicates to you that it
> is not?
> 
> Mike
> 
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Kerberos mailing list