kerberos and web authentication

Benjamin Kaduk kaduk at mit.edu
Fri Aug 21 19:30:47 EDT 2020


On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> I created a user keytab. I use curl to authenticate against a web server.
> `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> trying to figure out if its a webserver issue or kerberos issue. Is there
> anything else I can do?

There's (at least) a couple things that can come into play for this sort of
scenario (not least because HTTP Negotiate violates some fundamental
assumptions about message- vs. connection-oriented):

Does the web server's hostname have multiple IP addresses in the DNS?  (Is
reverse DNS used for principal canonicalization by the krb5 library?  The
default is "yes" in many versions.)

Does the web server have a pool of backend servers behind a load balancer?

-Ben


More information about the Kerberos mailing list