Hi Benjamin,

I configured firefox for no sspi and also added domain primesystems.com to 
network.negotiate-auth.trusted-uris and then when I try reaching a page I get 
in catalina log:

192.168.1.225 - - [10/Oct/2012:12:30:33 +0530] "GET 
/jsf-sso/supervisor_teller.xhtml HTTP/1.1" 401 5


It shows nothing more.  I do not see any ticket send from browser to tomcat and 
no auth request made by tomcat to kdc.

When I use IE with setting of host added to local intranet it no more prompts 
for user/pass but then the catalina logs show that it has issue of token:

Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader 
did not find the right tag)


Regards,

Miten.



________________________________
 From: Benjamin Kaduk <[email protected]>
To: miten mehta <[email protected]> 
Cc: "[email protected]" <[email protected]> 
Sent: Wednesday, October 10, 2012 2:51 AM
Subject: Re: kerberos / spnego
 
On Mon, 8 Oct 2012, miten mehta wrote:

> Hi Booker,
> 
> I am using Internet Explorer 9 and assume it should be configured already for 
> spnego.  The webapp as such has to do some auth prompting so I guess it 
> starts out dong jaas based basic auth.  I am just following pretty much the 
> article at spring security and their samples.

I've had a much easier time getting firefox to do SPNEGO than IE9.
If you are using an external kerberos (MIT or heimdal) you will need to tell 
firefox to disable sspi (in about:config).  Both IE and firefox need to be told 
which sites they are permitted to use negotiate auth against, though -- firefox 
has a negotiate.trusted-uris entry in about:config, and IIRC IE needs hostnames 
configured to be in the local intranet zone.

In my own testing, I was only ever able to get IE9 to do SPNEGO if I explicitly 
inserted the correct service ticket into the MSLSA cache manually, or if the 
machine was joined to an AD domain.

-Ben Kaduk
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to