On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:
On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy <aboko...@redhat.com>
wrote:
Yes, the naming of Kerberos principals is more or less historical. All
browsers only request service tickets to HTTP/<hostname> principal. If
you expect browsers to utilize GSSAPI, your target Kerberos service
principal must be HTTP/.. according to
https://tools.ietf.org/html/rfc4559 section 4.1.
Ah, thanks Alexander, that is actually very useful, as now I would like to
get the negotiation working across a reverse proxy (which I think is not
possible in the way I'd like to- I took it to
https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not
sure that's the best place).
BTW, I think this tidbit is not mentioned in the howtos in the wiki. I
think the wiki is not publicly editable, right? Could someone make a
visible note about that (the link to the RFC is quite interesting)?
Can you point me to a page where you want it added?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
