Brad Lodgen wrote:

Thanks for your reply. I'm not sure if it makes much difference, but I
forgot to say I'm using the 2.0 Alpha latest release.

I am using Windows 7. I downloaded the MIT Kerberos Client for Windows,
added my realm/domain, got my ticket, but I still get the same result. I
used the admin user and the user I added, both same results. I ran kinit on
both before trying, same result. I ran ipa user-find on both, both exist.

Same error message in Firefox, same blank page in IE, same error message on

Any suggestions to move forward?

Did you set this in about:config on your browser?
network.auth.use-sspi false

You might walso want to try this, though I'm not 100% sure if the environment variables work the same way in Windows.

This should give us a client-side view of what the request is doing.

Do you have a Linux machine you can try from as a baseline test?


-----Original Message-----
From: Rob Crittenden [] Sent: Tuesday, April 20, 2010 12:26 PM
To: Brad Lodgen
Subject: Re: [Freeipa-users] Apache Error Immediately After Install

Brad Lodgen wrote:
I have a fresh install. All I've done is kinit admin and added a single user.

I browse to my ipa web server, log in, then get a blank page in IE and in Firefox I get the page at /usr/share/ipa/html/unauthorized.html. I checked the source code for the IE page and it's actually taking me to the same page, just not showing any text. I changed to compatibility mode, same thing. I did all the recommended changes in Firefox, but have the same result.

This is in the Apache error log

[Tue Apr 20 11:48:54 2010] [error] [client X.X.X.X] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

I tried logging in as admin and as a user I added. No luck.

Any ideas for things to try?

What OS are you running Firefox from?

The underlying problem is that you need to do kerberos authentication from within the browser. This is possible in Windows if you install the MIT kerberos client software.

For it to work natively in Windows you'd have to get a ticket as part of a domain login which we don't support (and probably won't for a while).


Freeipa-users mailing list

Reply via email to