KfW requests ticket with wrong SPN
Benjamin Kaduk
kaduk at MIT.EDU
Sat Sep 15 15:19:35 EDT 2012
On Sat, 15 Sep 2012, 1983-01-06 at gmx.net wrote:
>> Hi,
>>
>>
>> I have a Kerberos-based SSO system. The Kerberos realm is
>> "CORP.EXAMPLE.COM". Every service has its own domain name, such as
>> "imap.corp.example.com", "wiki.corp.example.com" and so on.
>>
>> Now I can login these services on Debian sid. But it always fails on
>> Windows XP.
>>
>> I've configured Firefox by setting the following preferences:
>>
>> network.negotiate-auth.trusted-uris = corp.example.com
>> network.negotiate-auth.using-native-gsslib = true
>> network.auth.use-sspi = false
>
> Why did you disable SSPI? This works quite well with Unix-based servers.
Off the top of my head (and my memory may be incorrect), the windows SSPI
libraries only access credentials in the windows LSA credentials store,
which is not populated by stock KfW 3.2.
With respect to the OP's question, KfW 3.2 is based off MIT krb5 version
1.6, which is rather old. It might be worth just giving your services
credentials named for the service's domain name (e.g.,
wiki.corp.example.com) as a workaround so the server principal name
matches the server name.
-Ben Kaduk
More information about the Kerberos
mailing list