MIT Kerberos problem with Windows clients
Benjamin Kaduk
kaduk at MIT.EDU
Thu Jan 16 12:15:25 EST 2014
On Thu, 16 Jan 2014, Morgan Patou wrote:
> From a Unix client, I can execute a Klist command to see that I have a
> valid ticket (expires in 10h). So the next step is to access to the
> kerberized application with a web browser. In Mozilla Firefox, I've set
> the following configuration:
>
> * network.negotiate-auth.delegation-uris user set string .REALM.COM
> * network.negotiate-auth.trusted-uris user set string .REALM.COM
> * network.negotiate-auth.using-native-gsslib user set boolean false
When doing negotiate auth in firefox on windows using MIT kerberos, I've
always had to set network.auth.use-sspi=false to get firefox to use the
gssapi library from MIT kerberos.
Other things to pay attention to are whether firefox is 32- or 64-bit (I
expect it's 32-bit) and that the version of MIT Kerberos installed
provides the appropriate bittedness gssapi library. (This is only an
issue with KfW 3.x and older; KfW 4.x installs both libraries on 64-bit
machines.)
-Ben Kaduk
More information about the Kerberos
mailing list