SPNEGO auth with service principal in other realm work with IE and not with Firefox
Elia Pinto
gitter.spiros at gmail.com
Wed Oct 19 12:41:00 EDT 2011
2011/10/19 Nebergall, Christopher <cneberg at sandia.gov>:
> Firefox is running on the same windows install as IE? On windows Firefox uses Windows's Kerberos by default so if it is set up correctly it should act the same as IE.
>
> Set up Firefox like this.
>
> network.negotiate-auth.trusted-uris=example.com
> network.negotiate-auth.delegation-uris=example.com
> network.automatic-ntlm-auth.trusted-uris=example.com
>
> or this
>
> network.negotiate-auth.trusted-uris=xxx.example.com, yyy.example.com
> network.negotiate-auth.delegation-uris=xxx.example.com, yyy.example.com
> network.automatic-ntlm-auth.trusted-uris=xxx.example.com, yyy.example.com
>
> (You could limit your URLS to just https https://example.com depending on your use case).
>
Thanks already done. Don't work for web1.YYY.EXAMPLE.COM but work for
web2.XXX.EXAMPLE.COM . regards
> -Christopher
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Elia Pinto
> Sent: Wednesday, October 19, 2011 9:38 AM
> To: kerberos at mit.edu
> Subject: SPNEGO auth with service principal in other realm work with IE and not with Firefox
>
> Hi to all
>
> I have an authentication infrastructure with Windows 2003 AD (realm
> XXX.EXAMPLE.COM) and clients with windows XPSP3
> (XXX.EXAMPLE.COM dns domain). I have a web server
> web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same
> forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It
> 'was created on the KDC of XXX.EXAMPLE.COM the
> HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it
> was correctly configured the web server for doing SPNEGO HTTP
> authentication. Now this works transparently from the clients with IE
> and not firefox. I have successfully configured firefox in about:
> config but although the web server requires the authentication type
> Negotiate firefox does nothing. The question is, but this
> configuration is supposed to work by Kerberos, I thought not, but I
> can not explain why it to work in IE if this is true. I have searched
> but no avail.
>
> Thanks in advance for your help
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
More information about the Kerberos
mailing list