SPNEGO auth with service principal in other realm work with IE and not with Firefox

Nebergall, Christopher cneberg at sandia.gov
Wed Oct 19 12:36:18 EDT 2011


Firefox is running on the same windows install as IE?  On windows Firefox uses Windows's Kerberos by default so if it is set up correctly it should act the same as IE.

Set up Firefox like this.

network.negotiate-auth.trusted-uris=example.com
network.negotiate-auth.delegation-uris=example.com
network.automatic-ntlm-auth.trusted-uris=example.com

or this

network.negotiate-auth.trusted-uris=xxx.example.com, yyy.example.com
network.negotiate-auth.delegation-uris=xxx.example.com, yyy.example.com
network.automatic-ntlm-auth.trusted-uris=xxx.example.com, yyy.example.com

(You could limit your URLS to just https https://example.com depending on your use case).

-Christopher
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Elia Pinto
Sent: Wednesday, October 19, 2011 9:38 AM
To: kerberos at mit.edu
Subject: SPNEGO auth with service principal in other realm work with IE and not with Firefox

Hi to all

I have an authentication infrastructure with Windows 2003 AD (realm
XXX.EXAMPLE.COM) and clients with windows XPSP3
(XXX.EXAMPLE.COM dns  domain). I have a web server
web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same
forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It
'was created  on  the KDC of XXX.EXAMPLE.COM the
HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it
was correctly configured the web server for doing SPNEGO HTTP
authentication. Now this works transparently from the  clients with IE
and not firefox. I have successfully configured firefox in about:
config but although the web server requires the authentication type
Negotiate firefox does nothing. The question is, but this
configuration is supposed to work by Kerberos, I thought not, but I
can not explain why it to work in IE if this is true. I have searched
but no avail.

Thanks in advance for your help
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos






More information about the Kerberos mailing list