Re: Thunderbird issues, KfW, Windows domain + separate KDC

Mon, 06 Aug 2007 07:45:12 -0700 

Jeff Blaine wrote:
> Hi all,
>
> I've already addressed this with some of the Thunderbird
> developers and was directed here as it is believed it's
> a configuration problem, not a Thunderbird problem.
>
> ERROR: Server does not support secure authentication (rephrased
>         error message from Thunderbird dialog).
>
> More details on above error found via debugging settings:
>
>             10800[20cf170]: gss_init_sec_context() failed:
>             Unspecified GSS failure.  Minor code may provide
>             more information
>
>                   Server not found in Kerberos database
>
>             10800[20cf170]:   leaving nsAuthGSSAPI::GetNextToken
>             [rv=80004005]
>
> And finally note that the KDC I would like to authenticate to
> (ourkdc.company.org) never logs a single thing related to this
> Thunderbird auth attempt.
Use either wireshark or Microsoft's Network Monitor to capture the
Kerberos exchange between the client and the KDC.

>
> Client Environment
> ==================
>
> 1.  Thunderbird 1.5.0.12
>
>           network.auth.use-sspi = false
>
> 2.  Kerberos for Windows 3.2
>
> 3.  C:\WINDOWS\krb5.ini contains:
>
>       [libdefaults]
>               default_realm = MYREALM.COMPANY.ORG
>
>       [domain_realm]
>               .company.org = MYREALM.COMPANY.ORG
>               company.org = MYREALM.COMPANY.ORG
>
>       [realms]
>               MYREALM.COMPANY.ORG = {
>                       kdc = ourkdc.company.org
>                       admin_server = ourkdc.company.org
>               }
>
> 5.  Credentials for [EMAIL PROTECTED] are obtained
>      just fine.
Is '[EMAIL PROTECTED]" the default identity?
>
> 6.  This client is ALSO part of a Windows domain that I have
>      no control over.  That Windows domain (kerberos-wise) is
>      "COMPANY.ORG" and when Kerberos for Windows starts the
>      credentials for [EMAIL PROTECTED] are imported.
Of is '[EMAIL PROTECTED]' the default identity?

When Thunderbird establishes a GSS context it does not provide a
requested identity, therefore the "default identity" is the one that
will be used.

Jeffrey Altman

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to