SPNEGO auth with service principal in other realm work with IE and not with Firefox

Douglas E. Engert deengert at anl.gov
Wed Oct 19 12:34:04 EDT 2011 


On 10/19/2011 10:37 AM, Elia Pinto wrote:
> Hi to all
>
> I have an authentication infrastructure with Windows 2003 AD (realm
> XXX.EXAMPLE.COM) and clients with windows XPSP3
> (XXX.EXAMPLE.COM dns  domain). I have a web server
> web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same
> forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It
> 'was created  on  the KDC of XXX.EXAMPLE.COM the
> HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it
> was correctly configured the web server for doing SPNEGO HTTP
> authentication. Now this works transparently from the  clients with IE
> and not firefox. I have successfully configured firefox in about:
> config

It is not working so haw can you say it was successful?
Can you say what you did here?

A wireshark or other network trace might show what is going on.

http://mbechler.eenterphace.org/blog/index.php?/archives/6-Doing-GSSNegotiate-SSO-using-Mozilla-Firefox,-MIT-Kerberos-and-PHP.html

suggests trying this environment variable:
  NSPR_LOG_MODULES=negotiateauth:5
and starting Firefox with the -console option.

Most likely the kerberos/gssapi is having problems with determining
trhe realm of the server, and the capath to use to get the the server's
KDC.

You may need a krb5.conf or krb5.ini file to list realms of hosts
and maybe the capath.

You may also need to use a different gssapi
see the about:config network.negotiate-auth.gsslib and using
network.negotiate-auth.using-native-gsslib


> but although the web server requires the authentication type
> Negotiate firefox does nothing. The question is, but this
> configuration is supposed to work by Kerberos, I thought not, but I
> can not explain why it to work in IE if this is true. I have searched
> but no avail.
>
> Thanks in advance for your help
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list