kerberos/spnego sso

John User johnuser755 at yahoo.com
Tue Sep 5 20:51:41 EDT 2006 


--- Markus Moeller <huaraz at moeller.plus.com> wrote:

> You say WLS replies with Negotiate to the client,
> which means from there on 
> the client has to decide to use Kerberos and if so
> request a TGS. So it 
> seems for some reason your client decidess to reject
> Kerberos as an option 
> and selects immediatly NTLM. Did you try it from
> another client machine ?

Did try another XP box. Same result. So started to
look and see if any recent MS bugs existed. Not sure
that was fruitful.
> 
> You could try to install MIT kfw and configure
> firefox to use GSSAPI instead 
> of SSPI to see if it works then.

will get kfw tonight and try. (for some reason I
thought firefox did use GSSAPI??)


> 
> Markus
> 
> 
> "John User" <johnuser755 at yahoo.com> wrote in message
> 
>
news:20060905234631.2548.qmail at web55111.mail.re4.yahoo.com...
> >
> > These things have been performed. Absolutely no
> packet
> > goes from client to kdc (and no session ticket
> exists
> > prior) for the sought after hostname. (though as
> > mentioned in the first email other tickets exist
> on
> > client, so we know kerberos is functioning and
> client
> > does know the kdc).
> >
> >
> > --- Markus Moeller <huaraz at moeller.plus.com>
> wrote:
> >
> >> I guess you checked already  the Browser
> >> configurations. (On IE Windows
> >> Integrate authentication enabled and the domain
> >> added to the trusted or
> >> local intranet zone, On firefox set
> >> network-negotiate-auth.trusted-uris
> >> and/or network.negotiate-auth.delegation-uris).
> >> Check also with kerbtray if
> >> you have a TGS for HTTP/hostname in the MS cache.
> If
> >> not you should see the
> >> client sending a TGS_REQ to the kdc on port 88.
> >>
> >> Regards
> >> Markus
> >>
> >> "John User" <johnuser755 at yahoo.com> wrote in
> message
> >>
> >>
> >
>
news:20060904203158.55746.qmail at web55105.mail.re4.yahoo.com...
> >> >I am having no luck setting up kerberos/spnego
> sso:
> >> > The players:
> >> >
> >> > win2k3 AD box
> >> > win xp client running IE 6 and latest firefox
> >> > Weblogic 8.1 on a redhat box.
> >> > Client trying to access resource on WLS:
> >> >
> >> > tcpdump shows WLS sending "WWW-Authenticate :
> >> > Negotiate" in response to request for the
> >> protected
> >> > resource from IE (and firefox)
> >> > Neither IE nor firefox make any attempt to get
> a
> >> > session ticket, - though they do send something
> >> > encrtpted back in response. There is no other
> >> > WWW-Authenticate header being sent.
> >> > klist shows the client machine does have a tgt.
> >> > Any hints on how to debug, or has anyone had a
> >> similar
> >> > experience??
> >> > I have gone through all of the basic documented
> >> steps:
> >> > creation of AD user for WL box, keytabfiles,
> JAAS
> >> > config files... and the various changes on
> client
> >> > browsers.
> >> >
> >> >
> >> >
> >> >
> >> >
> __________________________________________________
> >> > Do You Yahoo!?
> >> > Tired of spam?  Yahoo! Mail has the best spam
> >> protection around
> >> > http://mail.yahoo.com
> >> >
> ________________________________________________
> >> > Kerberos mailing list          
> Kerberos at mit.edu
> >> >
> https://mailman.mit.edu/mailman/listinfo/kerberos
> >> >
> >>
> >>
> >> ________________________________________________
> >> Kerberos mailing list           Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Kerberos mailing list