kerberos/spnego sso

John User johnuser755 at yahoo.com
Tue Sep 5 19:46:31 EDT 2006 

These things have been performed. Absolutely no packet
goes from client to kdc (and no session ticket exists
prior) for the sought after hostname. (though as
mentioned in the first email other tickets exist on
client, so we know kerberos is functioning and client
does know the kdc).


--- Markus Moeller <huaraz at moeller.plus.com> wrote:

> I guess you checked already  the Browser
> configurations. (On IE Windows 
> Integrate authentication enabled and the domain
> added to the trusted or 
> local intranet zone, On firefox set
> network-negotiate-auth.trusted-uris 
> and/or network.negotiate-auth.delegation-uris).
> Check also with kerbtray if 
> you have a TGS for HTTP/hostname in the MS cache. If
> not you should see the 
> client sending a TGS_REQ to the kdc on port 88.
> 
> Regards
> Markus
> 
> "John User" <johnuser755 at yahoo.com> wrote in message
> 
>
news:20060904203158.55746.qmail at web55105.mail.re4.yahoo.com...
> >I am having no luck setting up kerberos/spnego sso:
> > The players:
> >
> > win2k3 AD box
> > win xp client running IE 6 and latest firefox
> > Weblogic 8.1 on a redhat box.
> > Client trying to access resource on WLS:
> >
> > tcpdump shows WLS sending "WWW-Authenticate :
> > Negotiate" in response to request for the
> protected
> > resource from IE (and firefox)
> > Neither IE nor firefox make any attempt to get a
> > session ticket, - though they do send something
> > encrtpted back in response. There is no other
> > WWW-Authenticate header being sent.
> > klist shows the client machine does have a tgt.
> > Any hints on how to debug, or has anyone had a
> similar
> > experience??
> > I have gone through all of the basic documented
> steps:
> > creation of AD user for WL box, keytabfiles, JAAS
> > config files... and the various changes on client
> > browsers.
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Kerberos mailing list