kerberos and web authentication

Rita rmorgan466 at gmail.com
Fri Aug 21 20:04:24 EDT 2020


hi

The webserver has DNS aliases but not multiple IPs. On a client level is it
possible to disable the reverse lookup? I am not sure if its backed up a
pool of servers -- is there a way to find out from a client?

On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk <kaduk at mit.edu> wrote:

> On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> > I created a user keytab. I use curl to authenticate against a web server.
> > `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> > trying to figure out if its a webserver issue or kerberos issue. Is there
> > anything else I can do?
>
> There's (at least) a couple things that can come into play for this sort of
> scenario (not least because HTTP Negotiate violates some fundamental
> assumptions about message- vs. connection-oriented):
>
> Does the web server's hostname have multiple IP addresses in the DNS?  (Is
> reverse DNS used for principal canonicalization by the krb5 library?  The
> default is "yes" in many versions.)
>
> Does the web server have a pool of backend servers behind a load balancer?
>
> -Ben
>


-- 
--- Get your facts first, then you can distort them as you please.--


More information about the Kerberos mailing list