Re: SPNEGO auth with service principal in other realm work with IE and not with Firefox

Wed, 19 Oct 2011 09:43:23 -0700 

2011/10/19 Nebergall, Christopher <[email protected]>:
> Firefox is running on the same windows install as IE?  On windows Firefox 
> uses Windows's Kerberos by default so if it is set up correctly it should act 
> the same as IE.
>
> Set up Firefox like this.
>
> network.negotiate-auth.trusted-uris=example.com
> network.negotiate-auth.delegation-uris=example.com
> network.automatic-ntlm-auth.trusted-uris=example.com
>
> or this
>
> network.negotiate-auth.trusted-uris=xxx.example.com, yyy.example.com
> network.negotiate-auth.delegation-uris=xxx.example.com, yyy.example.com
> network.automatic-ntlm-auth.trusted-uris=xxx.example.com, yyy.example.com
>
> (You could limit your URLS to just https https://example.com depending on 
> your use case).
>
Thanks already done. Don't work for web1.YYY.EXAMPLE.COM but work for
web2.XXX.EXAMPLE.COM . regards
> -Christopher
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of 
> Elia Pinto
> Sent: Wednesday, October 19, 2011 9:38 AM
> To: [email protected]
> Subject: SPNEGO auth with service principal in other realm work with IE and 
> not with Firefox
>
> Hi to all
>
> I have an authentication infrastructure with Windows 2003 AD (realm
> XXX.EXAMPLE.COM) and clients with windows XPSP3
> (XXX.EXAMPLE.COM dns  domain). I have a web server
> web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same
> forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It
> 'was created  on  the KDC of XXX.EXAMPLE.COM the
> HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it
> was correctly configured the web server for doing SPNEGO HTTP
> authentication. Now this works transparently from the  clients with IE
> and not firefox. I have successfully configured firefox in about:
> config but although the web server requires the authentication type
> Negotiate firefox does nothing. The question is, but this
> configuration is supposed to work by Kerberos, I thought not, but I
> can not explain why it to work in IE if this is true. I have searched
> but no avail.
>
> Thanks in advance for your help
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to