kerberos/spnego sso

John User johnuser755 at yahoo.com
Tue Sep 5 19:50:36 EDT 2006


These have been changed to reflect the appropriate
host sought. 
Though that brings to mind the question: IE defaults
to ntlm, is this also the case for firefox?? 

--- "Thomas A. La Porte"
<tlaporte at anim.dreamworks.com> wrote:

> What is the value of
> "network.negotiate-auth.trusted-uris" in 
> Firefox (type "about:config" in the URL location bar
> to see the 
> value).
> 
> If it's blank, Firefox won't attempt SPNEGO
> authentication with 
> any web sites.
> 
>   -- Tom
> 
> Thomas A. La Porte, DreamWorks Animation
> <mailto:tlaporte at anim.dreamworks.com>
> 
> On Tue, 5 Sep 2006, John User wrote:
> 
> >
> >
> > --- Michael B Allen <mba2000 at ioplex.com> wrote:
> >
> >> On Mon, 4 Sep 2006 13:31:58 -0700 (PDT)
> >> John User <johnuser755 at yahoo.com> wrote:
> >>
> >>> I am having no luck setting up kerberos/spnego
> >> sso:
> >>> The players:
> >>>
> >>> win2k3 AD box
> >>> win xp client running IE 6 and latest firefox
> >>> Weblogic 8.1 on a redhat box.
> >>> Client trying to access resource on WLS:
> >>>
> >>> tcpdump shows WLS sending "WWW-Authenticate :
> >>> Negotiate" in response to request for the
> >> protected
> >>> resource from IE (and firefox)
> >>> Neither IE nor firefox make any attempt to get a
> >>> session ticket, - though they do send something
> >>> encrtpted back in response.
> >>
> >> The client probably already had the ticket so no
> >> comm. with KDC was
> >> necessary. You should see the client submit
> >> 'Authorization: Negotiate
> >> YIIExka83jsmd...more base64 encoded data'.
> >>
> >
> > klist on client shows no ticket to HTTP/hostname
> > If run under IE I get a logon screen. Under
> Firefox I
> > get nothing.
> > I am assuming that the client is defaulting and
> > returning not spnego/kerberos, but spnego/NTLM.
> >
> > One question I have is whether WebLogic needs to
> add
> > anything to "Negotiate"? Is this sufficient for IE
> to
> > run the default spnego/kerberos packets?
> >
> >
> >>> There is no other
> >>> WWW-Authenticate header being sent.
> >>> klist shows the client machine does have a tgt.
> >>> Any hints on how to debug, or has anyone had a
> >> similar
> >>> experience??
> >>> I have gone through all of the basic documented
> >> steps:
> >>> creation of AD user for WL box, keytabfiles,
> JAAS
> >>> config files... and the various changes on
> client
> >>> browsers.
> >>
> >> Sounds like it could be working. What exactly
> >> indicates to you that it
> >> is not?
> >>
> >> Mike
> >>
> >> --
> >> Michael B Allen
> >> PHP Active Directory SSO
> >> http://www.ioplex.com/
> >>
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Kerberos mailing list