SPNEGO question

Rick van Rein rick at openfortress.nl
Mon Nov 9 17:39:39 EST 2015


Hi Pascal,

> I was able to have it to work (with firefox) when calling simple URI
> such as http://host.domain.tld but not when calling
> http://host.domain.tld/test_dir.

That surprises me.  I've been putting host.fqdn.names and .domain.names
into the network.negotiate-auth.trusted-uris field in about:config and
not full URIs as the field name suggests, so I wonder how the path could
be of influence.

> I did change the negotiate URI field in firefox configuration,

You were trying to setup the path in the trusted-uris field?  That is
not the idea, I think.

The use of trusted-uris is to setup hosts that may receive the Kerberos
tickets, and the path underneath is hardly considered a distribution
across operational boundaries, so it has no real impact on trust.

If your intention is to only pickup the ticket for certain paths, then
you should leave the trusted-uris set to the entire webhost, and setup
the server to only request SPNEGO authentication for the paths that it
considers protected resources.

> but did
> not touch the service keytab (HTTP/<host>). My guess is that the problem
> is there...
>
You cannot change the service keytab for paths; it only mentions the
service name and the server hostname.

> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>
Not sure what you're asking.  SPNEGO trusted-uris on FireFox are setup
for hostnames AFAIK, and within a server you get to choose when to
trigger SPNEGO by demanding authentication.

> If someone could clarify, this would be more than useful...
>
I hope this helps.


Cheers,
 -Rick


More information about the Kerberos mailing list