Thunderbird issues, KfW, Windows domain + separate KDC

Jeffrey Altman jaltman at secure-endpoints.com
Mon Aug 6 10:41:43 EDT 2007 

Jeff Blaine wrote:
> Hi all,
>
> I've already addressed this with some of the Thunderbird
> developers and was directed here as it is believed it's
> a configuration problem, not a Thunderbird problem.
>
> ERROR: Server does not support secure authentication (rephrased
>         error message from Thunderbird dialog).
>
> More details on above error found via debugging settings:
>
>             10800[20cf170]: gss_init_sec_context() failed:
>             Unspecified GSS failure.  Minor code may provide
>             more information
>
>                   Server not found in Kerberos database
>
>             10800[20cf170]:   leaving nsAuthGSSAPI::GetNextToken
>             [rv=80004005]
>
> And finally note that the KDC I would like to authenticate to
> (ourkdc.company.org) never logs a single thing related to this
> Thunderbird auth attempt.
Use either wireshark or Microsoft's Network Monitor to capture the
Kerberos exchange between the client and the KDC.

>
> Client Environment
> ==================
>
> 1.  Thunderbird 1.5.0.12
>
>           network.auth.use-sspi = false
>
> 2.  Kerberos for Windows 3.2
>
> 3.  C:\WINDOWS\krb5.ini contains:
>
> 	[libdefaults]
> 		default_realm = MYREALM.COMPANY.ORG
>
> 	[domain_realm]
> 		.company.org = MYREALM.COMPANY.ORG
> 		company.org = MYREALM.COMPANY.ORG
>
> 	[realms]
> 		MYREALM.COMPANY.ORG = {
> 			kdc = ourkdc.company.org
> 			admin_server = ourkdc.company.org
> 		}
>
> 5.  Credentials for jblaine at MYREALM.COMPANY.ORG are obtained
>      just fine.
Is 'jblaine at MYREALM.COMPANY.ORG" the default identity?
>
> 6.  This client is ALSO part of a Windows domain that I have
>      no control over.  That Windows domain (kerberos-wise) is
>      "COMPANY.ORG" and when Kerberos for Windows starts the
>      credentials for jblaine at COMPANY.ORG are imported.
Of is 'jblaine at COMPANY.ORG' the default identity?

When Thunderbird establishes a GSS context it does not provide a
requested identity, therefore the "default identity" is the one that
will be used.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070806/712c8a72/attachment.bin

More information about the Kerberos mailing list