KfW requests ticket with wrong SPN
Desmond O. Chang
dochang at gmail.com
Fri Sep 14 22:42:05 EDT 2012
Hi,
I have a Kerberos-based SSO system. The Kerberos realm is
"CORP.EXAMPLE.COM". Every service has its own domain name, such as
"imap.corp.example.com", "wiki.corp.example.com" and so on.
Now I can login these services on Debian sid. But it always fails on
Windows XP.
I've configured Firefox by setting the following preferences:
network.negotiate-auth.trusted-uris = corp.example.com
network.negotiate-auth.using-native-gsslib = true
network.auth.use-sspi = false
I found that, on Windows, KfW requests the ticket with SPN
"wiki.corp.example.com", not "corp.example.com". In krb5kdc.log,
there is:
krb5kdc[27686](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2})
192.168.243.163: UNKNOWN_SERVER: authtime 0, user at CORP.EXAMPLE.COM for
HTTP/wiki.corp.example.com at CORP.EXAMPLE.COM, Server not found in
Kerberos database
Then I try to change wiki's domain name to "corp.example.com". This
time I can login.
So the problem is: How to make KfW request the ticket with SPN
"corp.example.com", not "wiki.corp.example.com",
"imap.corp.example.com" and so on?
Thanks,
Des
More information about the Kerberos
mailing list