Re: [Freeipa-users] Kerberos authentication setup

Fri, 11 Nov 2011 13:58:06 -0800 

Boris Epstein wrote:

On Fri, Nov 11, 2011 at 4:18 PM, Dmitri Pal<d...@redhat.com>  wrote:


On 11/11/2011 03:52 PM, Boris Epstein wrote:

Hello all,
I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it 
from a browser as I get the "Your kerberos ticket is no longer valid." message. 
So the question is: is there a good guide on how to set up the Kerberos components 
involved?

Do you use browser from the same machine as you server or different?
Is it a Linux machine?
What is the browser you are using?

The procedure is (on server):
1) Install server
2) kinit admin (or other user you want to use that you added)
3) start browser
4) follow the prompts reading carefully - accept certs and let the browser 
configuration script run
5) Enjoy the UI

On non server:
1) Install client
2) kinit admin (or other user you want to use that you added)
3) start browser on that machine
4) follow the prompts reading carefully - accept certs and let the browser 
configuration script run
5) Enjoy the UI

If you are trying to access it from a machine that is not a member of the 
domain you have to go to IPA and allow basic auth but we do not recommend it as 
it is insecure.




Thanks.
Boris.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Dmitry,

We intend to have this on a secure network so how do I enable basic
authentication?

And thanks for all your help.




Basic auth defeats the benefits of single sign-on, I would not recommend 
it. If you are using Firefox then getting this set up is usually just a 
one-time bit of pain and then SSO goodness from then on. The beauty is 
you can extend it to all your other apps and get away from sending your 
passwords all over the place.


rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to