kerberos and web authentication
Benjamin Kaduk
kaduk at mit.edu
Fri Aug 21 19:30:47 EDT 2020
On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> I created a user keytab. I use curl to authenticate against a web server.
> `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> trying to figure out if its a webserver issue or kerberos issue. Is there
> anything else I can do?
There's (at least) a couple things that can come into play for this sort of
scenario (not least because HTTP Negotiate violates some fundamental
assumptions about message- vs. connection-oriented):
Does the web server's hostname have multiple IP addresses in the DNS? (Is
reverse DNS used for principal canonicalization by the krb5 library? The
default is "yes" in many versions.)
Does the web server have a pool of backend servers behind a load balancer?
-Ben
More information about the Kerberos
mailing list