On Wednesday 05 September 2007, Jeffrey Altman wrote:
MIT KFW ships with an SDK in the installer. However, the layout of the
header and library files is different from the UNIX installation. There
is no krb5-config.exe to report the build and installation details
Why?
On Wednesday 05 September 2007, Ed Zorob wrote:
it's hard to believe that no one developed a windows version of krb5-config
I even emailed that author of this module ( Daniel Kouril ) few days
ago and no reply yet.
1. The mailinglist [EMAIL PROTECTED] can
be used for discussing
On Friday 27 July 2007 18:11, Douglas E. Engert wrote:
I stil think you have a client problem, of the client not delegating.
A client not delegating because mutal-auth has not finished it's roundtrips?
The mod_auth_kerb code tries to store the deleg_cred *without* checking
if mutal-auth is in
On Friday 27 July 2007 09:14, Mikkel Kruse Johnsen wrote:
After the patch (attached) I get this.
I think your patch does my idea wrong.
Your patch checks
major_status == GSS_S_COMPLETE
but in your patch major_status is the return-value of gss_display_name(),
not of accept_sec_token.
You
On Thursday 26 July 2007 19:41, Douglas E. Engert wrote:
Mikkel Kruse Johnsen wrote:
Hi Douglas
I have already done all these steps.
It still looks like the client is not delegating.
I am not sure if this idea works
but maybe you (Mikkel) can give it a try?
From my point of view that
On Thursday 26 July 2007 20:16, Douglas E. Engert wrote:
Achim Grolms wrote:
From my point of view that means we can exclude the item
Client sends nothing as delegated credeatials because from
my point of view the logging means *something* is received.
No, the trace showed
On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
If I understand RFC2744 correct GSS_C_DELEG_FLAG
would not be set in that case?
Achim
Agreed. That flag shouldn't be set AFAIK, though the value isn't
valid until negotiation is complete.
That means before trying to store delegated
On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
Achim Grolms wrote:
On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
If I understand RFC2744 correct GSS_C_DELEG_FLAG
would not be set in that case?
Achim
Agreed. That flag shouldn't be set AFAIK, though the value isn't
On Wednesday 25 July 2007 11:55, Mikkel Kruse Johnsen wrote:
Compiled the mod_auth_kerb with the attched
The modification does a check if GSS_C_DELEG_FLAG
is present.
From my point of view (a paranoid point of view)
an additional check has to follow:
before the code does the call to
On Wednesday 18 July 2007 10:01, Mikkel Kruse Johnsen wrote:
Now I only have the problem that mod_auth_kerb don't write my
credentials to KRB5CCNAME (in PHP).
Some knowledge on Credentials delegation I have stolen from
mailinglists is now part of
On Tuesday 17 July 2007 09:41, Mikkel Kruse Johnsen wrote:
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information (Cannot allocate memory)
What OS and what Kerberoslibs do you use?
Background of this question:
I've seen this errormessage Cannot
On Wednesday 20 June 2007 20:03, Tyler Petrie wrote:
Hi,
I am receiving:
gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab
matches desired name)
On Windows kerbtray.exe is helpfull for showing the ticketdetails
IE uses. The ticket in kerbtray.exe and in Apaches
On Wednesday 17 January 2007 18:12, Jeff Blaine wrote:
Is there a Wiki for Kerberos info?
A Kerberos-related Wiki is
http://www.kerberosprotocols.org/
Achim
--
using mod_auth_kerb and Windows 2000/2003 as KDC:
http://www.grolmsnet.de/kerbtut/
On Wednesday 06 December 2006 15:15, Diego Lima wrote:
On Tue, 5 Dec 2006 19:41:23 -, Tim Alsop wrote
It is not possible to configure IE to use anything other than LSA
for getting credentials, however Firefox can be configure to use a
GSS-API library
Am I missing something?
check
On Wednesday 06 December 2006 17:33, Diego Lima wrote:
[Mon Nov 06 14:16:11 2006] [error] [client 192.168.130.224]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
Client sends NTLM instead of Kerberos5.
I have also taken a look and noticed that
On Wednesday 06 December 2006 18:29, Diego Lima wrote:
network.auth.use-sspi true
if true this means Firefox uses the Win32-API (calles SSPI).
Set this to false to use a 3rd party GSSAPI.
(automatically switches network.negotiate-auth.using-native-gsslib
to 'true', this
On Monday 04 December 2006 18:45, Dave Gudgeon wrote:
The research I have
conducted leads me to believe that I need to pass kerberos tokens to the
second server along with my HTTP request, is this correct?
As far as I know this is called credentials delegation in GSSAPI.
I have started to
On Thursday 03 August 2006 04:28, Daniel B. Bailey wrote:
hello, i have a situation where SSO (Single Sign On) for Oracle Portal uses
Kerberos tokens ( Windows Authentacation) to sign on to an Oracle system.
What Webbrowsers do you use?
What KDC-Software do you use?
What GSSAPI-implementation
On Monday 15 May 2006 14:59, Trey Tarpley wrote:
Our company's internal web site (intranet) is set up with an auto-login
feature with Kerberos. Some employees are having trouble being
automatically logged in. The problem seems to be that IE is using the old
authentication with NTLM instead
On Thursday 23 March 2006 18:39, David Telfer wrote:
I may look into the
potential for using ArcFour for both the keytab and ServicePrincipal
In general that works, I've some mails of people in my inbox
who run their mod_auth_kerb with RC4.
but
I'm sure this will open another can of worms
On Thursday 23 March 2006 19:22, [EMAIL PROTECTED] wrote:
Note: I am not the system administrator when i issued these commands. (
do i need to be one??)
From the ktpass Documentation:
http://technet2.microsoft.com/WindowsServer/en/Library/64042138-9a5a-4981-84e9-d576a8db0d051033.mspx
On Wednesday 22 March 2006 18:19, Tim Alsop wrote:
Alternatively, you can use one of the many tools available that replace
the need for ktpass, and use computer accounts for key storage. These
tools do not suffer from the same issues as ktpass.
What are that tools?
Can you send searchkeywords
On Friday 17 March 2006 22:18, [EMAIL PROTECTED] wrote:
Thanks richard,
My kerberos authentication i think is working now
i say 'i think' because when i check my http header response this is
what i am getting:
WWW-Authenticate: Basic realm=Kerberos Login
It is saying Basic, when I have
http://search.cpan.org/search?query=LWP-Authen-Negotiatemode=all
Many thanks to Leif Johansson who co-authored the module.
I hope it is useful!
Achim Grolms
--
using mod_auth_kerb and Windows 2000/2003 as KDC:
http://www.grolmsnet.de/kerbtut
On Friday 17 February 2006 23:08, Jason Fenner wrote:
I have followed these instruction completely:
http://www.grolmsnet.de/kerbtut/
The research I have done so far shows that IE will try kerberos first,
and then fail over to NTLM.
please run
kvno HTTP/rt.vitamix.com
to see if the
?query=GSSAPImode=dist
Use our Mailinglists [EMAIL PROTECTED]
and [EMAIL PROTECTED]
for support and discussion
See http://perlgssapi.sourceforge.net/
for more information.
Achim Grolms
--
using mod_auth_kerb and Windows 2000/2003 as KDC:
http://www.grolmsnet.de/kerbtut
On Thursday 12 January 2006 19:01, Victor Sudakov wrote:
Does mod_auth_kerb really do GSSAPI ?
Yes. Please have a look at
http://www.kerberosprotocols.org/index.php/Draft-brezak-spnego-http-03.txt
I thought it was just an implementation of HTTP basic auth, with Kerberos
instead of the
On Thursday 12 January 2006 17:06, Smellyfrog wrote:
My problem: IE (And Firecfox, but if could at least get IE to work that
would be a start) keeps poping the logon window.
Please
1. send the relevant part from Apache errorlog
2. Do a HEAD request to the location and send the HTTP-Headers
On Wednesday 07 December 2005 14:10, [EMAIL PROTECTED] wrote:
Hi,
I want to hard code the mech type for kerberos instead of GSS_C_NO_OID.
Could anybody please tell me how to do it ?
Pass the mechtype you want to
gss_init_sec_context().
use
gss_indicate_mechs()
to ask for the Mechtypes
On Tuesday 06 December 2005 16:51, [EMAIL PROTECTED] wrote:
- is it posible to have kerberos for auth mech. over internet, and
especialy for port 80.
- does it alse need some other input or output for 3way communication
it relies on, or only this port would be ok.
On Monday 14 November 2005 18:48, FM wrote:
I'm trying to use mod_auth_kerb to authenticate users with kerberos.
Have you read http://www.grolmsnet.de/kerbtut/?
But when I try to authenticat myself http error_log show :
[error] [client 192.168.4.171] krb5_verify_init_creds() failed: Key
On Monday 14 November 2005 20:43, you wrote:
Thanks for the reply,
you can use http if you add tu http conf : KrbServiceName http
Yes, but you have to configure the Browser, too.
Internet Exploder *always* sends HTTP.
That means HTTP is a de-facto standard if you
don't want to exclude
On Monday 14 November 2005 21:44, FM wrote:
Thank you, I'll use HTTP as service name
there a PXI firewall but for now all ports are open from the server to
kerberos server and there is non nat.
OK, I asked for HTTP-protocol-level proxies.
Do I also need a princ host/... ? For now I just have
On Monday 14 November 2005 22:21, vilifin (sent by Nabble.com) wrote:
Is there some
kind of direct API in Windows XP for requesting a service ticket? --
The windows SSPI is the OS-builtin equivalent to GSSAPI.
Have a look at
In comp.protocols.kerberos Russ Allbery [EMAIL PROTECTED] wrote:
In comp.infosystems.www.servers.unix, scmoseman [EMAIL PROTECTED] writes:
The website authenticates against the Windows domain.
But it uses a pop-up box for the login authentication.
I'm under the impression that it should use
In comp.protocols.kerberos Scott Moseman [EMAIL PROTECTED] wrote:
mod_auth_kerb can do SPNEGO.
Find my tutorial using mod_auth_kerb and Windows 2000 as KDC
at http://www.grolmsnet.de/kerbtut/
Thanks, Achim, you indirectly helped me solved my problem.
All your steps are similar to the
nightolo [EMAIL PROTECTED] wrote:
I configured all of these stuff but when I tried to log on with apache
with Basic Authentication I got gss_acquire_cred() failed:
Miscellaneous failure (No principal in keytab matches desired name)
in error.log.
Have you checked that your keytab is correct?
37 matches
Mail list logo