Partial Resolution: Adventures with KfW 3.1b2

Henry B. Hotz hotz at
Mon Nov 6 02:52:57 EST 2006

On Nov 4, 2006, at 9:10 AM, Jeffrey Altman wrote:

> Henry B. Hotz wrote:
>>>> Looks like Firefox is using the Windows SSPI instead of the MIT
>>>> GSSAPI library, in spite of the config items saying otherwise.
>>> Or that the GSSAPI is using the MSLSA: credential cache.
>> It's pretty clear that Firefox is still using the SSPI instead of the
>> MIT GSSAPI library.  (As you once told me) W2K absent AD, and absent
>> referrals on the KDC, can't tell that a specific experimental web
>> server ( isn't in the JPL.NASA.GOV realm.
>> Firefox is getting an HTTP/redhotz... at JPL... prinicpal in the MSLSA.
>> (That principal exists, but is not used by the actual server.)  As
>> the MIT stuff knows, it should get an HTTP/redhotz... at HOTZ.JPL...
>> principal via a cross-realm auth.
> Well then there is a bug that needs to be filed with
>> I think I understand what NetIDMgr and the Windows Kerberos stuff is
>> doing now.
>> I have a Microsoft permission problem w.r.t. that registry setting.
>> I still have a Firefox config issue.
> It sounds like it.

There is another config item:

network.auth.use-sspi	false

Now Firefox uses the MIT/Secure-Endpoints gssapi library as you would  
expect (with the other network.negotiate-auth.* settings as described  
earlier in this thread).

The remaining problem is that W2K does not seem to obey the Registry  
setting.  Can't import the tgt on login.  Presumably this would be OK  
in XP, if I could stand the slowdown.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list