MIT Kerberos problem with Windows clients

Morgan Patou morgan.patou at dbi-services.com
Mon Jan 20 09:58:28 EST 2014


Hi all, 

> as Russ Allbery, one of the (main?) authors of webauth, is very active on this list, maybe you can ask a question like "i'm trying to use kerberos for the following situation, would webauth or cosign do a better or easier job for that" here and hope for an answer or a hint to the appropriate mailing list by him ;-) 
> According your tests with kerberos directly: As my knowledge about apache and sso ends here, kerberos specialist like Greg Hudson and Benjamin Kaduk might help more. 

I don't really know what's happened since Friday but it seems that now the Windows Kerberos began to work! I restarted the computer several times between Thursday and Sunday but it was only this morning that it decided to work. 

Since this morning, when I start my computer, I'm able to connect to the account 'REALM.COM\test1'. After that, I open firefox and launch the VPN. As soon as the VPN is running, I see in the KDC logs the following two lines: 

Jan 20 15:07:11 xyz.realm.com krb5kdc[1767](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) <VPN Internal IP>: ISSUE: authtime 1390226831, etypes {rep=18 tkt=18 ses=18}, test1 at REALM.COM for krbtgt/REALM.COM at REALM.COM 
Jan 20 15:07:11 xyz.realm.com krb5kdc[1767](info): TGS_REQ (5 etypes {18 17 23 24 -135}) <VPN Internal IP>: ISSUE: authtime 1390226831, etypes {rep=18 tkt=18 ses=18}, test1 at REALM.COM for host/xyz.realm.com at REALM.COM 

And I can access a kerberized application fairly quickly (the page takes between 0.5 and 3 seconds to be loaded). With MIT Kerberos the page still takes 10 minutes to be loaded... So strange! 

Anyway, here are my settings for firefox: 

* network.negotiate-auth.delegation-uris -- user set -- string -- .REALM.COM 
* network.negotiate-auth.trusted-uris -- user set -- string -- .REALM.COM 
* network.negotiate-auth.using-native-gsslib -- user set -- boolean -- false 
* network.auth.use-sspi -- default -- boolean -- true 


I have another question about Windows's tickets. Is it possible to make this ticket "forwardable = true" and "proxiable = true"? One of our kerberized applications is Alfresco. Alfresco Share uses a proxy that redirects everything to Alfresco Explorer. From a Unix client, I just have to put these two settings in the /etc/krb5.conf file but in Windows, I haven't found how to set it up with ksetup. These two lines are already in the configuration file of the KDC but it need to be on the client's configuration file too. 


Thanks for your help, 
Regards, 
Morgan 


More information about the Kerberos mailing list