On Mon, Oct 3, 2016 at 8:52 AM, <aleksey.maksi...@it-kb.ru> wrote: > > network.negotiate-auth.delegation-uris = .ad.holding.com > > network.negotiate-auth.trusted-uris = .ad.holding.com > > Yes. Configured > > The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and > Firefox opens without problems and without password prompts > > But when opening links from start page... > > https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/ > userportal/?locale=en_US > https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US > > ...opens a oVirt form prompting for credentials with a single profile > "internal" >
Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf Thanks Martin Perina > > > 03.10.2016, 09:37, "Martin Perina" <mper...@redhat.com>: > > > > On Mon, Oct 3, 2016 at 8:18 AM, <aleksey.maksi...@it-kb.ru> wrote: > > > Hello, Martin > > Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working > successfully from Internet Explorer & Forefox. > Kerberos authentication NOT working with oVirt Web-Portals. > > I expect that the users opening the oVirt web portal in the browser did > not enter a password, and used instead of the transparent sign-on using > Kerberos. > It is impossible ?? > > > It's possible and it's working fine when everything is properly set up. > But please bear in mind kerberos SSO is one of the most complicated oVirt > setup, but usually the error is on kerberos side (environment issues on the > client). > > So, you are saying that using curl you are able to access API using > kerberos ticket but when you try to access the same API from the browser it > does not work, right? > I don't use IE, but you need to set following options in "about:config" > URL for Firefox to work properly with kerberos: > > network.negotiate-auth.delegation-uris = .ad.holding.com > network.negotiate-auth.trusted-uris = .ad.holding.com > > If you have those options set, what exactly happen when you try to access > https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api > > > in Firefox? > > Martin Perina > > > > > 03.10.2016, 09:08, "Martin Perina" <mper...@redhat.com>: > > Hi Aleksey, > > in your last email you wrote that everything works (at least that's my > understanding, email pasted below). So what exactly doesn't work for you? > > Regards > > Martin Perina > > > > # kinit aleksey > > > > Password for alek...@ad.holding.com: *** > > > > # klist > > > > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9 > > Default principal: alek...@ad.holding.com > > > > Valid starting Expires Service principal > > 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/AD.HOLDING.COM@AD. > HOLDING.COM > > renew until 10/07/2016 16:50:29 > > > > > > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k > <https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api> > https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <api> > > ... output truncated ... > > </api> > > > > It Works. > > The browsers are configured. > > Kerberos authentication for Windows web servers working successfully > from Internet Explorer & Forefox > > > On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksi...@it-kb.ru> wrote: > > > Up > > 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" <aleksey.maksi...@it-kb.ru > >: > > Any other ideas? > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users