Thunderbird issues, KfW, Windows domain + separate KDC
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Aug 6 10:41:43 EDT 2007
Jeff Blaine wrote:
> Hi all,
>
> I've already addressed this with some of the Thunderbird
> developers and was directed here as it is believed it's
> a configuration problem, not a Thunderbird problem.
>
> ERROR: Server does not support secure authentication (rephrased
> error message from Thunderbird dialog).
>
> More details on above error found via debugging settings:
>
> 10800[20cf170]: gss_init_sec_context() failed:
> Unspecified GSS failure. Minor code may provide
> more information
>
> Server not found in Kerberos database
>
> 10800[20cf170]: leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> And finally note that the KDC I would like to authenticate to
> (ourkdc.company.org) never logs a single thing related to this
> Thunderbird auth attempt.
Use either wireshark or Microsoft's Network Monitor to capture the
Kerberos exchange between the client and the KDC.
>
> Client Environment
> ==================
>
> 1. Thunderbird 1.5.0.12
>
> network.auth.use-sspi = false
>
> 2. Kerberos for Windows 3.2
>
> 3. C:\WINDOWS\krb5.ini contains:
>
> [libdefaults]
> default_realm = MYREALM.COMPANY.ORG
>
> [domain_realm]
> .company.org = MYREALM.COMPANY.ORG
> company.org = MYREALM.COMPANY.ORG
>
> [realms]
> MYREALM.COMPANY.ORG = {
> kdc = ourkdc.company.org
> admin_server = ourkdc.company.org
> }
>
> 5. Credentials for jblaine at MYREALM.COMPANY.ORG are obtained
> just fine.
Is 'jblaine at MYREALM.COMPANY.ORG" the default identity?
>
> 6. This client is ALSO part of a Windows domain that I have
> no control over. That Windows domain (kerberos-wise) is
> "COMPANY.ORG" and when Kerberos for Windows starts the
> credentials for jblaine at COMPANY.ORG are imported.
Of is 'jblaine at COMPANY.ORG' the default identity?
When Thunderbird establishes a GSS context it does not provide a
requested identity, therefore the "default identity" is the one that
will be used.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070806/712c8a72/attachment.bin
More information about the Kerberos
mailing list