mod_auth_kerb, cross_realm and IE
Douglas E. Engert
deengert at anl.gov
Thu Jun 20 08:03:10 EDT 2013
On 6/19/2013 5:44 PM, Booker Bense wrote:
> I'm working with mod_auth_kerb and from a linux box, it works fine with
> tickets from both of our realms, WIN.SLAC.STANFORD.EDU and SLAC.STANFORD.EDU
> .
>
> Browsers running on windows boxes (IE and Firefox ) fail with this error in
> the
> apache server logs.
>
> Warning: received token seems to be NTLM, which isn't supported by the
> Kerberos module. Check your IE configuration.
>
> Some googling suggests that there needs to be some configuration on the AD
> side.
>
> I know little about AD, but that post suggests that the server needs an AD
> entry
> of some kind to enable the browser to use kerberos credentials. Does anyone
> know what the appropriate entry would be for a webserver
For browsers this might help:
https://wiki.shibboleth.net/confluence/display/SHIB2/Single+sign-on+Browser+configuration
You may have to add both realms and website to the list of trusted sites.
(I don't have much experience with cross realm these days.)
Also look google for: ie enable windows integrated authentication
>
> foo.slac.stanford.edu
>
> being accessed by clients in
>
> win.slac.stanford.edu
>
>>From the unix side of things cross-realm appears to be working just fine. I
> can easily get service tickets for unix servers using the windows tgt.
>
> thanks,
>
> - Booker C. Bense
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list