On 10/19/2011 10:37 AM, Elia Pinto wrote: > Hi to all > > I have an authentication infrastructure with Windows 2003 AD (realm > XXX.EXAMPLE.COM) and clients with windows XPSP3 > (XXX.EXAMPLE.COM dns domain). I have a web server > web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same > forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It > 'was created on the KDC of XXX.EXAMPLE.COM the > HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it > was correctly configured the web server for doing SPNEGO HTTP > authentication. Now this works transparently from the clients with IE > and not firefox. I have successfully configured firefox in about: > config
It is not working so haw can you say it was successful? Can you say what you did here? A wireshark or other network trace might show what is going on. http://mbechler.eenterphace.org/blog/index.php?/archives/6-Doing-GSSNegotiate-SSO-using-Mozilla-Firefox,-MIT-Kerberos-and-PHP.html suggests trying this environment variable: NSPR_LOG_MODULES=negotiateauth:5 and starting Firefox with the -console option. Most likely the kerberos/gssapi is having problems with determining trhe realm of the server, and the capath to use to get the the server's KDC. You may need a krb5.conf or krb5.ini file to list realms of hosts and maybe the capath. You may also need to use a different gssapi see the about:config network.negotiate-auth.gsslib and using network.negotiate-auth.using-native-gsslib > but although the web server requires the authentication type > Negotiate firefox does nothing. The question is, but this > configuration is supposed to work by Kerberos, I thought not, but I > can not explain why it to work in IE if this is true. I have searched > but no avail. > > Thanks in advance for your help > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
