SPNEGO auth with service principal in other realm work with IE and not with Firefox
Elia Pinto
gitter.spiros at gmail.com
Wed Oct 19 12:47:28 EDT 2011
2011/10/19 Douglas E. Engert <deengert at anl.gov>:
>
>
> On 10/19/2011 10:37 AM, Elia Pinto wrote:
>> Hi to all
>>
>> I have an authentication infrastructure with Windows 2003 AD (realm
>> XXX.EXAMPLE.COM) and clients with windows XPSP3
>> (XXX.EXAMPLE.COM dns domain). I have a web server
>> web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same
>> forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It
>> 'was created on the KDC of XXX.EXAMPLE.COM the
>> HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it
>> was correctly configured the web server for doing SPNEGO HTTP
>> authentication. Now this works transparently from the clients with IE
>> and not firefox. I have successfully configured firefox in about:
>> config
>
> It is not working so haw can you say it was successful?
web1.XXX.EXAMPLE.COM if accessed with IE display correctly my windows
AD username, firefox don't try to authenticate (i have seen this with
live http header firefox extension)
> Can you say what you did here?
>
> A wireshark or other network trace might show what is going on.
>
> http://mbechler.eenterphace.org/blog/index.php?/archives/6-Doing-GSSNegotiate-SSO-using-Mozilla-Firefox,-MIT-Kerberos-and-PHP.html
>
> suggests trying this environment variable:
> NSPR_LOG_MODULES=negotiateauth:5
> and starting Firefox with the -console option.
>
> Most likely the kerberos/gssapi is having problems with determining
> trhe realm of the server, and the capath to use to get the the server's
> KDC.
>
> You may need a krb5.conf or krb5.ini file to list realms of hosts
> and maybe the capath.
>
> You may also need to use a different gssapi
> see the about:config network.negotiate-auth.gsslib and using
> network.negotiate-auth.using-native-gsslib
>
Firefox SPNEGO sso auth is working with other - many other - web
server . The only difference is that they are in the same dns domain
as the windows ad KDC that issued the service principal (e.g for my
example web2.XXXX.EXAMPLE.COM with
HTTP/web2.XXXX.EXAMPLE.COM at XXXX.EXAMPLE.COM service principal)
Thanks for the reply
>
>> but although the web server requires the authentication type
>> Negotiate firefox does nothing. The question is, but this
>> configuration is supposed to work by Kerberos, I thought not, but I
>> can not explain why it to work in IE if this is true. I have searched
>> but no avail.
>>
>> Thanks in advance for your help
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list