spnego
Tuomas
tuomaksen.spammiposti at gmail.com
Tue Sep 16 16:15:04 EDT 2008
Michael B Allen wrote:
> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
> <tuomaksen.spammiposti at gmail.com> wrote:
>> I also found out using wireshark what Internet Explorer does when it
>> fails to authenticate using Kerberos. It asks a ticket from the Active
>> Directory server for HTTP/virtualhost.domain.com instead of
>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
>> anyone found solutions for this?
>
> That's not a bug. You will need to add SPNs to the desired account
> (using setspn) for each virtual hostname.
I see, just can't understand why this is happening occasionally. At
least it makes things harder.
Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still
didn't work as they should. Now i apache's error.log I get:
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information (Key table entry not found)
I understand that I should have also virtualhost.domain.com defined in
my keytab, just don't have any idea how to do that.
Thanks for all the help!
-Tuomas
More information about the Kerberos
mailing list