Nathan Lager wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 04/20/2012 02:26 PM, Rob Crittenden wrote:
Have you configured the browser for Kerberos?
http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html



That error seems to indicate that the domain isn't defined in
network.negotiate-auth.trusted-uris

regards

rob

I've been through the clicky-clicky that ipa's web gui sends you
through (accepting the certs, and configuring the browser), a number
of times.  I just confirmed the trusted uri's and delegation uris.
They are both correct, they look like: .my.ipa.domain.com

I even tried resetting delegation-uris, and trusted-uri's to the
default, and then allowing the ipa web gui to re-configure them, it
hasnt helped.

Thanks for the response.  Sorry for the delay in mine.

Hmm, that is very strange. The code in question in Firefox looks like:

        bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs);
        if (!allowed) {
            LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
            return NS_ERROR_ABORT;
        }

which seems to be the error you are seeing. It's a shame there isn't more logging around the uris.

I see that you had enabled debug logging on the Apache side. Can you provide some more context on the failed request?

thanks

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to