Partial Resolution: Adventures with KfW 3.1b2
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Nov 6 02:52:57 EST 2006
On Nov 4, 2006, at 9:10 AM, Jeffrey Altman wrote:
> Henry B. Hotz wrote:
>>>> Looks like Firefox is using the Windows SSPI instead of the MIT
>>>> GSSAPI library, in spite of the config items saying otherwise.
>>> Or that the GSSAPI is using the MSLSA: credential cache.
>>
>> It's pretty clear that Firefox is still using the SSPI instead of the
>> MIT GSSAPI library. (As you once told me) W2K absent AD, and absent
>> referrals on the KDC, can't tell that a specific experimental web
>> server (redhotz.jpl.nasa.gov) isn't in the JPL.NASA.GOV realm.
>> Firefox is getting an HTTP/redhotz... at JPL... prinicpal in the MSLSA.
>> (That principal exists, but is not used by the actual server.) As
>> the MIT stuff knows, it should get an HTTP/redhotz... at HOTZ.JPL...
>> principal via a cross-realm auth.
>
> Well then there is a bug that needs to be filed with Mozilla.org.
>
>> I think I understand what NetIDMgr and the Windows Kerberos stuff is
>> doing now.
>>
>> I have a Microsoft permission problem w.r.t. that registry setting.
>>
>> I still have a Firefox config issue.
>
> It sounds like it.
There is another config item:
network.auth.use-sspi false
Now Firefox uses the MIT/Secure-Endpoints gssapi library as you would
expect (with the other network.negotiate-auth.* settings as described
earlier in this thread).
The remaining problem is that W2K does not seem to obey the Registry
setting. Can't import the tgt on login. Presumably this would be OK
in XP, if I could stand the slowdown.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list