Using Apache with mod_auth_kerb
Russ Allbery
rra at stanford.edu
Mon Dec 1 20:14:08 EST 2008
Ansgar Burchardt <ansgar at 2008.43-1.org> writes:
> I have a small problem with mod_auth_kerb and Firefox 3.0: While
> authenticating via Kerberos works fine from a computer located in the
> same domain, I cannot get Firefox to authenticate from my home computer.
>
> I have a Kerberos ticket and Konqueror handles the Kerberos
> authentication just fine, but Firefox seems to have problems. So far I
> have only found that the option
> network.negotiate-auth.trusted-uris
> has to be set by me (I set it to `https://example.com', the web server I
> wish to authenticate to is `https://www.example.com'. I have also tried
> different combinations). All other `negotiate-auth' related settings
> still have their default values.
After you try to visit the web site in question, run klist. Does an
HTTP/* ticket for the web server show up in your ticket cache? If so,
something is going wrong with the Negotiate-Auth part of Firefox's code;
if not, you probably have a more basic problem with mapping the web server
to an existing Kerberos principal.
Make sure that your realm mappings are correct in your /etc/krb5.conf
file, for example. That's often the problem.
> I am also not quite sure what the network.negotiate-auth.delegation-uris
> is supposed to do. Will it pass the TGT to the server?
Yes. Be very careful with this, since it gives the server full access to
do anything Kerberized as you.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list