kerberos/spnego sso

Michael B Allen mba2000 at ioplex.com
Tue Sep 5 21:54:46 EDT 2006 

On Tue, 5 Sep 2006 16:38:24 -0700 (PDT)
John User <johnuser755 at yahoo.com> wrote:

> > > Neither IE nor firefox make any attempt to get a
> > > session ticket, - though they do send something
> > > encrtpted back in response.
> > 
> > The client probably already had the ticket so no
> > comm. with KDC was
> > necessary. You should see the client submit
> > 'Authorization: Negotiate
> > YIIExka83jsmd...more base64 encoded data'.
> >
>  
> klist on client shows no ticket to HTTP/hostname

This sounds like a problem I had. I never figured it out. I concluded
that dispite have asked the user to check various settings multiple times,
they must have simply been incorrect.

Go through the various sites lists and eradicate all applicable
entries. There should be only one entry in the IntrAnet sites list. It
must be in a form like:

  http://*.domain.com

If you're using a proxy, try temporarily disabling the proxy settings
(or add the target site to the proxy exclusion list).

> If run under IE I get a logon screen. Under Firefox I
> get nothing. 
> I am assuming that the client is defaulting and
> returning not spnego/kerberos, but spnego/NTLM.

Install WireShark, reboot, start WireShark, and visit the site. Send me
the capture if you're not certain about what to look for.

> One question I have is whether WebLogic needs to add
> anything to "Negotiate"? Is this sufficient for IE to
> run the default spnego/kerberos packets?

Nope. The initial HTTP response header is simply:

  WWW-Authenticate: Negotiate

and nothing more. That is all that should be necessary for IE to initiate
a Kerberos authentication. It should try to get a ticket for the target
SPN and then submit a base64 encoded token in a header that looks like:

  Authorization: Negotiate YIIjasJSHjS<snipbase64encodedstuff>kSJSjSf==

Please let us know what you find either way. Like I said, I had one
customer that was completely stumped by this. If I were better at VB
I would write a little script to check all the necessary settings, try
to get a service ticket, and do a simple authenticated HTTP request as
a diagnostic.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

More information about the Kerberos mailing list