kerberos/spnego sso

Thomas A. La Porte tlaporte at anim.dreamworks.com
Tue Sep 5 19:45:16 EDT 2006


What is the value of "network.negotiate-auth.trusted-uris" in 
Firefox (type "about:config" in the URL location bar to see the 
value).

If it's blank, Firefox won't attempt SPNEGO authentication with 
any web sites.

  -- Tom

Thomas A. La Porte, DreamWorks Animation
<mailto:tlaporte at anim.dreamworks.com>

On Tue, 5 Sep 2006, John User wrote:

>
>
> --- Michael B Allen <mba2000 at ioplex.com> wrote:
>
>> On Mon, 4 Sep 2006 13:31:58 -0700 (PDT)
>> John User <johnuser755 at yahoo.com> wrote:
>>
>>> I am having no luck setting up kerberos/spnego
>> sso:
>>> The players:
>>>
>>> win2k3 AD box
>>> win xp client running IE 6 and latest firefox
>>> Weblogic 8.1 on a redhat box.
>>> Client trying to access resource on WLS:
>>>
>>> tcpdump shows WLS sending "WWW-Authenticate :
>>> Negotiate" in response to request for the
>> protected
>>> resource from IE (and firefox)
>>> Neither IE nor firefox make any attempt to get a
>>> session ticket, - though they do send something
>>> encrtpted back in response.
>>
>> The client probably already had the ticket so no
>> comm. with KDC was
>> necessary. You should see the client submit
>> 'Authorization: Negotiate
>> YIIExka83jsmd...more base64 encoded data'.
>>
>
> klist on client shows no ticket to HTTP/hostname
> If run under IE I get a logon screen. Under Firefox I
> get nothing.
> I am assuming that the client is defaulting and
> returning not spnego/kerberos, but spnego/NTLM.
>
> One question I have is whether WebLogic needs to add
> anything to "Negotiate"? Is this sufficient for IE to
> run the default spnego/kerberos packets?
>
>
>>> There is no other
>>> WWW-Authenticate header being sent.
>>> klist shows the client machine does have a tgt.
>>> Any hints on how to debug, or has anyone had a
>> similar
>>> experience??
>>> I have gone through all of the basic documented
>> steps:
>>> creation of AD user for WL box, keytabfiles, JAAS
>>> config files... and the various changes on client
>>> browsers.
>>
>> Sounds like it could be working. What exactly
>> indicates to you that it
>> is not?
>>
>> Mike
>>
>> --
>> Michael B Allen
>> PHP Active Directory SSO
>> http://www.ioplex.com/
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list