KfW requests ticket with wrong SPN

Desmond O. Chang dochang at gmail.com
Mon Sep 17 11:36:33 EDT 2012


Benjamin Kaduk <kaduk at MIT.EDU> writes:

> On Sat, 15 Sep 2012, 1983-01-06 at gmx.net wrote:
>
>>> Hi,
>>>
>>>
>>> I have a Kerberos-based SSO system.  The Kerberos realm is
>>> "CORP.EXAMPLE.COM".  Every service has its own domain name, such as
>>> "imap.corp.example.com", "wiki.corp.example.com" and so on.
>>>
>>> Now I can login these services on Debian sid.  But it always fails on
>>> Windows XP.
>>>
>>> I've configured Firefox by setting the following preferences:
>>>
>>>   network.negotiate-auth.trusted-uris = corp.example.com
>>>   network.negotiate-auth.using-native-gsslib = true
>>>   network.auth.use-sspi = false
>>
>> Why did you disable SSPI? This works quite well with Unix-based servers.
>
> Off the top of my head (and my memory may be incorrect), the windows
> SSPI libraries only access credentials in the windows LSA credentials
> store, which is not populated by stock KfW 3.2.
>
> With respect to the OP's question, KfW 3.2 is based off MIT krb5
> version 1.6, which is rather old.  It might be worth just giving your
> services credentials named for the service's domain name (e.g.,
> wiki.corp.example.com) as a workaround so the server principal name
> matches the server name.

Thank you.  I added all domain names.  Now I can login on Windows XP.


More information about the Kerberos mailing list