Adventures with KfW 3.1b2

Henry B. Hotz hotz at
Fri Nov 3 13:24:13 EST 2006

Installed on a W2K Virtual PC on MacOS 10.4.8.  Windows Update seems  
to think I have all the latest and greatest.

Nit:  The credential window accumulates background-color garbage when  
you drag other windows over it.  View->Refresh view does fix the  

Now we get to the real questions:  Can I make Firefox do cross-realm  
with the MIT libraries?  I've set:

network.negotiate-auth.gsslib		C:\Program Files\MIT\lib\i386 
network.negotiate-auth.trusted-uris		https://
network.negotiate-auth.using-native-gsslib	false.

Logout.  (Don't reboot.)

"Failed to renew credentials for hotz at JPL..." on login.  Opened  
NetIDMgr and typed password to get new tgt.  (I thought KfW used to  
import the tgt (or at least the password to get a tgt with) as well  
as the service tickets.  I *think* I have all the relevant options set.)

Firefox works fine with web sites in the main JPL.NASA.GOV realm.  I  
want to use the MIT gssapi library because I want to configure some  
specific machines to be in a different realm, even though there is no  
DNS distinction.  This is outside of AD.

Opened Firefox 2.0.  Tried to connect to 

Get a basic-auth prompt.  Kerbtray shows a HTTP/ at JPL.NASA.GOV, not a HTTP/... at HOTZ.JPL.NASA.GOV  
service ticket.  (If you reopen it.  I guess it doesn't auto- 
update.)  NetIDMgr shows the same thing.

In a command prompt window "kvno -c API:hotz at JPL.NASA.GOV HTTP/ at HOTZ.JPL.NASA.GOV" will correctly get the cross- 
realm tgt, and the HTTP service principal.

Looks like Firefox is using the Windows SSPI instead of the MIT  
GSSAPI library, in spite of the config items saying otherwise.

Nit:  Should I attach any significance to klist -A (on Mac) vice  
klist -C (on W2K)?  Also the default "API:" ccache names are  
completely different.  This isn't wrong, just confusing for someone  
trying to work cross-platform.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list