KfW requests ticket with wrong SPN

Desmond O. Chang dochang at gmail.com
Fri Sep 14 22:42:05 EDT 2012


Hi,


I have a Kerberos-based SSO system.  The Kerberos realm is
"CORP.EXAMPLE.COM".  Every service has its own domain name, such as
"imap.corp.example.com", "wiki.corp.example.com" and so on.

Now I can login these services on Debian sid.  But it always fails on
Windows XP.

I've configured Firefox by setting the following preferences:

  network.negotiate-auth.trusted-uris = corp.example.com
  network.negotiate-auth.using-native-gsslib = true
  network.auth.use-sspi = false

I found that, on Windows, KfW requests the ticket with SPN
"wiki.corp.example.com", not "corp.example.com".  In krb5kdc.log,
there is:

  krb5kdc[27686](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2})
192.168.243.163: UNKNOWN_SERVER: authtime 0, user at CORP.EXAMPLE.COM for
HTTP/wiki.corp.example.com at CORP.EXAMPLE.COM, Server not found in
Kerberos database

Then I try to change wiki's domain name to "corp.example.com".  This
time I can login.

So the problem is: How to make KfW request the ticket with SPN
"corp.example.com", not "wiki.corp.example.com",
"imap.corp.example.com" and so on?


Thanks,
Des


More information about the Kerberos mailing list