KfW requests ticket with wrong SPN

Benjamin Kaduk kaduk at MIT.EDU
Sat Sep 15 15:19:35 EDT 2012


On Sat, 15 Sep 2012, 1983-01-06 at gmx.net wrote:

>> Hi,
>>
>>
>> I have a Kerberos-based SSO system.  The Kerberos realm is
>> "CORP.EXAMPLE.COM".  Every service has its own domain name, such as
>> "imap.corp.example.com", "wiki.corp.example.com" and so on.
>>
>> Now I can login these services on Debian sid.  But it always fails on
>> Windows XP.
>>
>> I've configured Firefox by setting the following preferences:
>>
>>   network.negotiate-auth.trusted-uris = corp.example.com
>>   network.negotiate-auth.using-native-gsslib = true
>>   network.auth.use-sspi = false
>
> Why did you disable SSPI? This works quite well with Unix-based servers.

Off the top of my head (and my memory may be incorrect), the windows SSPI 
libraries only access credentials in the windows LSA credentials store, 
which is not populated by stock KfW 3.2.

With respect to the OP's question, KfW 3.2 is based off MIT krb5 version 
1.6, which is rather old.  It might be worth just giving your services 
credentials named for the service's domain name (e.g., 
wiki.corp.example.com) as a workaround so the server principal name 
matches the server name.

-Ben Kaduk


More information about the Kerberos mailing list