2012/5/4 Paul Robert Marino<prmari...@gmail.com>:
There is a apache module for kerberos auth that works well two notes about
it turn on credential caching because it significantly reduces the load on
the kerberos server and keep in mind that internet explorer leaves native
kerberos on (you won't get prompted for a user name or password if you hve a
valid kerberos ticket) but firefox turns it off by default and I'm not sure
about crome. In other words if you leave the default setting in firefox it
will use basic auth (clear text password unless you use ssl) to interact
with apache and subsequently kerberos. This is a wonderfull way to make a
secure authentication mechanisim insecure if you don't use ssl.
That said I know for a fact track does work well with kerberos auth.
That means if user's browser doesn't support kerberos or with kerberos
off by default, it will break SSO, right?
Maybe I should try FreeIPA in conjunction with CoSign?
Firefox needs to be configured to be allowed to perform Kerberos SSO in
a domain. FreeIPA 2.2 introduced a forms-based login so you don't have
to fall back to basic authentication (with KrbMethodK5Passwd on).
In practice all web-based Kerberos should be protected by SSL.
Freeipa-users mailing list