kerberos/spnego sso
Markus Moeller
huaraz at moeller.plus.com
Tue Sep 5 20:19:18 EDT 2006
You say WLS replies with Negotiate to the client, which means from there on
the client has to decide to use Kerberos and if so request a TGS. So it
seems for some reason your client decidess to reject Kerberos as an option
and selects immediatly NTLM. Did you try it from another client machine ?
You could try to install MIT kfw and configure firefox to use GSSAPI instead
of SSPI to see if it works then.
Markus
"John User" <johnuser755 at yahoo.com> wrote in message
news:20060905234631.2548.qmail at web55111.mail.re4.yahoo.com...
>
> These things have been performed. Absolutely no packet
> goes from client to kdc (and no session ticket exists
> prior) for the sought after hostname. (though as
> mentioned in the first email other tickets exist on
> client, so we know kerberos is functioning and client
> does know the kdc).
>
>
> --- Markus Moeller <huaraz at moeller.plus.com> wrote:
>
>> I guess you checked already the Browser
>> configurations. (On IE Windows
>> Integrate authentication enabled and the domain
>> added to the trusted or
>> local intranet zone, On firefox set
>> network-negotiate-auth.trusted-uris
>> and/or network.negotiate-auth.delegation-uris).
>> Check also with kerbtray if
>> you have a TGS for HTTP/hostname in the MS cache. If
>> not you should see the
>> client sending a TGS_REQ to the kdc on port 88.
>>
>> Regards
>> Markus
>>
>> "John User" <johnuser755 at yahoo.com> wrote in message
>>
>>
> news:20060904203158.55746.qmail at web55105.mail.re4.yahoo.com...
>> >I am having no luck setting up kerberos/spnego sso:
>> > The players:
>> >
>> > win2k3 AD box
>> > win xp client running IE 6 and latest firefox
>> > Weblogic 8.1 on a redhat box.
>> > Client trying to access resource on WLS:
>> >
>> > tcpdump shows WLS sending "WWW-Authenticate :
>> > Negotiate" in response to request for the
>> protected
>> > resource from IE (and firefox)
>> > Neither IE nor firefox make any attempt to get a
>> > session ticket, - though they do send something
>> > encrtpted back in response. There is no other
>> > WWW-Authenticate header being sent.
>> > klist shows the client machine does have a tgt.
>> > Any hints on how to debug, or has anyone had a
>> similar
>> > experience??
>> > I have gone through all of the basic documented
>> steps:
>> > creation of AD user for WL box, keytabfiles, JAAS
>> > config files... and the various changes on client
>> > browsers.
>> >
>> >
>> >
>> >
>> > __________________________________________________
>> > Do You Yahoo!?
>> > Tired of spam? Yahoo! Mail has the best spam
>> protection around
>> > http://mail.yahoo.com
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list