KfW requests ticket with wrong SPN
Desmond O. Chang
dochang at gmail.com
Mon Sep 17 11:41:32 EDT 2012
Mantas Mikulėnas <grawity at gmail.com> writes:
> On Sun, Sep 16, 2012 at 1:25 PM, Michael-O <1983-01-06 at gmx.net> wrote:
>> Am 2012-09-15 21:19, schrieb Benjamin Kaduk:
>>> On Sat, 15 Sep 2012, 1983-01-06 at gmx.net wrote:
>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>> I have a Kerberos-based SSO system. The Kerberos realm is
>>>>> "CORP.EXAMPLE.COM". Every service has its own domain name, such as
>>>>> "imap.corp.example.com", "wiki.corp.example.com" and so on.
>>>>>
>>>>> Now I can login these services on Debian sid. But it always fails on
>>>>> Windows XP.
>>>>>
>>>>> I've configured Firefox by setting the following preferences:
>>>>>
>>>>> network.negotiate-auth.trusted-uris = corp.example.com
>>>>> network.negotiate-auth.using-native-gsslib = true
>>>>> network.auth.use-sspi = false
>>>>
>>>> Why did you disable SSPI? This works quite well with Unix-based servers.
>>>
>>> Off the top of my head (and my memory may be incorrect), the windows
>>> SSPI libraries only access credentials in the windows LSA credentials
>>> store, which is not populated by stock KfW 3.2.
>>
>> I am aware of that. I just wanted to know why he uses KfW at all and not
>> SSPI.
>
> If this is a simple Kerberos realm (not Active Directory), configuring
> LSA to obtain Kerberos credentials is much more troublesome than
> setting up KfW.
Yes, the Kerberos server is installed on Debian wheezy. I want to
deploy a platform-independent and open-source SSO system.
More information about the Kerberos
mailing list