Using Apache with mod_auth_kerb

Russ Allbery rra at
Mon Dec 1 20:14:08 EST 2008

Ansgar Burchardt <ansgar at> writes:

> I have a small problem with mod_auth_kerb and Firefox 3.0:  While
> authenticating via Kerberos works fine from a computer located in the
> same domain, I cannot get Firefox to authenticate from my home computer.
> I have a Kerberos ticket and Konqueror handles the Kerberos
> authentication just fine, but Firefox seems to have problems.  So far I
> have only found that the option
>     network.negotiate-auth.trusted-uris
> has to be set by me (I set it to `', the web server I
> wish to authenticate to is `'.  I have also tried
> different combinations).  All other `negotiate-auth' related settings
> still have their default values.

After you try to visit the web site in question, run klist.  Does an
HTTP/* ticket for the web server show up in your ticket cache?  If so,
something is going wrong with the Negotiate-Auth part of Firefox's code;
if not, you probably have a more basic problem with mapping the web server
to an existing Kerberos principal.

Make sure that your realm mappings are correct in your /etc/krb5.conf
file, for example.  That's often the problem.

> I am also not quite sure what the network.negotiate-auth.delegation-uris
> is supposed to do.  Will it pass the TGT to the server?

Yes.  Be very careful with this, since it gives the server full access to
do anything Kerberized as you.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list