Hi all,
> as Russ Allbery, one of the (main?) authors of webauth, is very active on
> this list, maybe you can ask a question like "i'm trying to use kerberos for
> the following situation, would webauth or cosign do a better or easier job
> for that" here and hope for an answer or a hint to the appropriate mailing
> list by him ;-)
> According your tests with kerberos directly: As my knowledge about apache and
> sso ends here, kerberos specialist like Greg Hudson and Benjamin Kaduk might
> help more.
I don't really know what's happened since Friday but it seems that now the
Windows Kerberos began to work! I restarted the computer several times between
Thursday and Sunday but it was only this morning that it decided to work.
Since this morning, when I start my computer, I'm able to connect to the
account 'REALM.COM\test1'. After that, I open firefox and launch the VPN. As
soon as the VPN is running, I see in the KDC logs the following two lines:
Jan 20 15:07:11 xyz.realm.com krb5kdc[1767](info): AS_REQ (6 etypes {18 17 23
24 -135 3}) <VPN Internal IP>: ISSUE: authtime 1390226831, etypes {rep=18
tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
Jan 20 15:07:11 xyz.realm.com krb5kdc[1767](info): TGS_REQ (5 etypes {18 17 23
24 -135}) <VPN Internal IP>: ISSUE: authtime 1390226831, etypes {rep=18 tkt=18
ses=18}, [email protected] for host/[email protected]
And I can access a kerberized application fairly quickly (the page takes
between 0.5 and 3 seconds to be loaded). With MIT Kerberos the page still takes
10 minutes to be loaded... So strange!
Anyway, here are my settings for firefox:
* network.negotiate-auth.delegation-uris -- user set -- string -- .REALM.COM
* network.negotiate-auth.trusted-uris -- user set -- string -- .REALM.COM
* network.negotiate-auth.using-native-gsslib -- user set -- boolean -- false
* network.auth.use-sspi -- default -- boolean -- true
I have another question about Windows's tickets. Is it possible to make this
ticket "forwardable = true" and "proxiable = true"? One of our kerberized
applications is Alfresco. Alfresco Share uses a proxy that redirects everything
to Alfresco Explorer. From a Unix client, I just have to put these two settings
in the /etc/krb5.conf file but in Windows, I haven't found how to set it up
with ksetup. These two lines are already in the configuration file of the KDC
but it need to be on the client's configuration file too.
Thanks for your help,
Regards,
Morgan
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
