MIT Kerberos problem with Windows clients

Benjamin Kaduk kaduk at MIT.EDU
Thu Jan 16 12:15:25 EST 2014


On Thu, 16 Jan 2014, Morgan Patou wrote:

> From a Unix client, I can execute a Klist command to see that I have a 
> valid ticket (expires in 10h). So the next step is to access to the 
> kerberized application with a web browser. In Mozilla Firefox, I've set 
> the following configuration:
>
>    * network.negotiate-auth.delegation-uris user set string .REALM.COM
>    * network.negotiate-auth.trusted-uris user set string .REALM.COM
>    * network.negotiate-auth.using-native-gsslib user set boolean false

When doing negotiate auth in firefox on windows using MIT kerberos, I've 
always had to set network.auth.use-sspi=false to get firefox to use the 
gssapi library from MIT kerberos.

Other things to pay attention to are whether firefox is 32- or 64-bit (I 
expect it's 32-bit) and that the version of MIT Kerberos installed 
provides the appropriate bittedness gssapi library.  (This is only an 
issue with KfW 3.x and older; KfW 4.x installs both libraries on 64-bit 
machines.)

-Ben Kaduk


More information about the Kerberos mailing list