2012/5/4 Paul Robert Marino <prmari...@gmail.com>:
> There is a apache module for kerberos auth that works well two notes about
> it turn on credential caching because it significantly reduces the load on
> the kerberos server and keep in mind that internet explorer leaves native
> kerberos on (you won't get prompted for a user name or password if you hve a
> valid kerberos ticket) but firefox turns it off by default and I'm not sure
> about crome. In other words if you leave the default setting in firefox it
> will use basic auth (clear text password unless you use ssl) to interact
> with apache and subsequently kerberos. This is a wonderfull way to make a
> secure authentication mechanisim insecure if you don't use ssl.
> That said I know for a fact track does work well with kerberos auth.
That means if user's browser doesn't support kerberos or with kerberos
off by default, it will break SSO, right?
Maybe I should try FreeIPA in conjunction with CoSign?
Freeipa-users mailing list