Benjamin Kaduk <[email protected]> writes: > On Sat, 15 Sep 2012, [email protected] wrote: > >>> Hi, >>> >>> >>> I have a Kerberos-based SSO system. The Kerberos realm is >>> "CORP.EXAMPLE.COM". Every service has its own domain name, such as >>> "imap.corp.example.com", "wiki.corp.example.com" and so on. >>> >>> Now I can login these services on Debian sid. But it always fails on >>> Windows XP. >>> >>> I've configured Firefox by setting the following preferences: >>> >>> network.negotiate-auth.trusted-uris = corp.example.com >>> network.negotiate-auth.using-native-gsslib = true >>> network.auth.use-sspi = false >> >> Why did you disable SSPI? This works quite well with Unix-based servers. > > Off the top of my head (and my memory may be incorrect), the windows > SSPI libraries only access credentials in the windows LSA credentials > store, which is not populated by stock KfW 3.2. > > With respect to the OP's question, KfW 3.2 is based off MIT krb5 > version 1.6, which is rather old. It might be worth just giving your > services credentials named for the service's domain name (e.g., > wiki.corp.example.com) as a workaround so the server principal name > matches the server name.
Thank you. I added all domain names. Now I can login on Windows XP. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
