KfW requests ticket with wrong SPN

Mantas Mikulėnas grawity at gmail.com
Sun Sep 16 08:32:33 EDT 2012


On Sun, Sep 16, 2012 at 1:25 PM, Michael-O <1983-01-06 at gmx.net> wrote:
> Am 2012-09-15 21:19, schrieb Benjamin Kaduk:
>> On Sat, 15 Sep 2012, 1983-01-06 at gmx.net wrote:
>>
>>>> Hi,
>>>>
>>>>
>>>> I have a Kerberos-based SSO system.  The Kerberos realm is
>>>> "CORP.EXAMPLE.COM".  Every service has its own domain name, such as
>>>> "imap.corp.example.com", "wiki.corp.example.com" and so on.
>>>>
>>>> Now I can login these services on Debian sid.  But it always fails on
>>>> Windows XP.
>>>>
>>>> I've configured Firefox by setting the following preferences:
>>>>
>>>>   network.negotiate-auth.trusted-uris = corp.example.com
>>>>   network.negotiate-auth.using-native-gsslib = true
>>>>   network.auth.use-sspi = false
>>>
>>> Why did you disable SSPI? This works quite well with Unix-based servers.
>>
>> Off the top of my head (and my memory may be incorrect), the windows
>> SSPI libraries only access credentials in the windows LSA credentials
>> store, which is not populated by stock KfW 3.2.
>
> I am aware of that. I just wanted to know why he uses KfW at all and not
> SSPI.

If this is a simple Kerberos realm (not Active Directory), configuring
LSA to obtain Kerberos credentials is much more troublesome than
setting up KfW.

-- 
Mantas Mikulėnas



More information about the Kerberos mailing list