All -- I'm trying to get iCal to authenticate to caldavd using Kerberos, and as far as I can tell, it never tries: from the logs and traces, it appears that it accesses the given URL once without any authentication, then fails to retry based on the Www-authenticate: headers that it receives. iCal can connect with Digest authentication, and browsers (eg Firefox) can connect using Kerberos, both with no problems.
Has anyone here gotten iCal's Kerberos authentication to work with Darwin Calendar Server? When running on Linux? Background: * caldavd (from dpkg, 1.2.dfsg-4) running on Debian 4.0 (2.6.18-6-xen-amd64, root filesystem using user_xattr). * When using digest authentication (and passwords in accounts.xml), Sunbird and iCal can access calendars, creating and removing appointments and tasks. Browsers (eg Firefox) can also log into protected URLs. * When using Kerberos authentication, Firefox can log into protected URLs (causing a new Kerberos ticket to appear within Kerberos.app), but iCal will return "Login Failed: Your password was rejected by the server julian.csail.mit.edu for the login calendartest." -- using an identical URL to the one that works in Firefox, <http://julian.csail.mit.edu:8008/principals/users/calendartest/> * Switching all URLs to https:// causes no change in behavior with any of the clients mentioned above (other than a radar bug I'd like to file as to iCal not trusting intermediate CAs, but I digress). * Using different machines and/or different kerberos principals reproduces the behavior with all clients. Verbosity: output of "klist" run locally (where clients are being run): > imaction:~ arthurp$ klist > Kerberos 5 ticket cache: 'API:Initial default ccache' > Default principal: [EMAIL PROTECTED] > > Valid Starting Expires Service Principal > 07/24/08 14:23:15 07/25/08 00:23:15 krbtgt/[EMAIL PROTECTED] > renew until 07/31/08 14:23:15 > 07/24/08 14:30:58 07/25/08 00:23:15 HTTP/[EMAIL PROTECTED] > renew until 07/31/08 14:23:15 Entire error.log output corresponding to hitting "add account" in iCal.app through it displaying "Login failed": > 2008-07-24 14:36:21-0400 [-] [caldav-8008] [HTTPChannel,1,128.30.29.5] PROPFIND /principals/users/calendartest/ HTTP/1.1 Entire access.log output for same: > 128.30.29.5 - - [24/Jul/2008:14:36:21 -0400] "PROPFIND /principals/users/calendartest/ HTTP/1.1" 401 141 "-" "DAVKit/2.0 (10.5.4; wrbt) iCal 3.0.4" [8 .9 ms] If caldavd.plist, accounts.plist, and/or tcpdumps would be useful, let me know how best to send them. thanks for any ideas, -arthur prokosch CSAIL, MIT. _______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users
