Kerberos Digest, Vol 171, Issue 14

[Hugh Cole-Baker]

> On 23 Mar 2017, at 16:01, kerberos-request at mit.edu wrote:
> 
> Message: 4
> Date: Thu, 23 Mar 2017 13:26:05 +0000
> From: Giuseppe Mazza <g.mazza at imperial.ac.uk>
> Subject: single sign on problem on macOS Sierra (Version10.12.3)
> 	client
> To: kerberos at mit.edu
> Message-ID: <eabbaf42-b885-de5f-9948-fc11b182d2e8 at imperial.ac.uk>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Hello there,
> 
> I have tried to implement single-sign-on on a my macbook.
> 
> What I can:
> - I can kinit and get a valid ticket
> - I can ssh into a linux machine part of my realm without I am asked for 
> a password
> 
> What I can *not*:
> - browse a webpage even if I have kinit-ed successfully.
> When I access my url, i.e. https://intranet.example.com
> I am prompted with a window asking for my username and password.
> Moreover I have got no entry in /var/log/krb5kdc.log on my kerberos master.
> 
> I am sure the apache server is well configured. If I try to access the 
> same webpage from a linux client, it will work.
> 
> My questions are
> - what is the authentication mechanism used by firefox to use Kerberos 
> for SSO? is it GSS-API?

It's using the GSS-API SPNEGO mechanism over HTTP, RFC 4559 describes how
the mechanism is used for HTTP authentication.

> I am asking because it seems to me that my macbook does not manage to 
> contact my kerberos server in the first place.
> - has anybody manage to configure supported browsers for Kerberos sso 
> and apache on macOS clients?
> 

Yes, if you're using Firefox you should read
https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication
and set the preferences mentioned on that page to whitelist the URLs
you want to use HTTP Negotiate auth with. Firefox will not try Negotiate by
default.
Chrome requires whitelisting servers too, using this setting:
https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist

> 
> Kind regards,
>  Giuseppe