SPNEGO question
Rick van Rein
rick at openfortress.nl
Mon Nov 9 17:39:39 EST 2015
Hi Pascal,
> I was able to have it to work (with firefox) when calling simple URI
> such as http://host.domain.tld but not when calling
> http://host.domain.tld/test_dir.
That surprises me. I've been putting host.fqdn.names and .domain.names
into the network.negotiate-auth.trusted-uris field in about:config and
not full URIs as the field name suggests, so I wonder how the path could
be of influence.
> I did change the negotiate URI field in firefox configuration,
You were trying to setup the path in the trusted-uris field? That is
not the idea, I think.
The use of trusted-uris is to setup hosts that may receive the Kerberos
tickets, and the path underneath is hardly considered a distribution
across operational boundaries, so it has no real impact on trust.
If your intention is to only pickup the ticket for certain paths, then
you should leave the trusted-uris set to the entire webhost, and setup
the server to only request SPNEGO authentication for the paths that it
considers protected resources.
> but did
> not touch the service keytab (HTTP/<host>). My guess is that the problem
> is there...
>
You cannot change the service keytab for paths; it only mentions the
service name and the server hostname.
> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>
Not sure what you're asking. SPNEGO trusted-uris on FireFox are setup
for hostnames AFAIK, and within a server you get to choose when to
trigger SPNEGO by demanding authentication.
> If someone could clarify, this would be more than useful...
>
I hope this helps.
Cheers,
-Rick
More information about the Kerberos
mailing list