> network.negotiate-auth.delegation-uris = .ad.holding.com
> network.negotiate-auth.trusted-uris = .ad.holding.com
> network.negotiate-auth.trusted-uris = .ad.holding.com
Yes. Configured
The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and Firefox opens without problems and without password prompts
But when opening links from start page...
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/userportal/?locale=en_US
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
...opens a oVirt form prompting for credentials with a single profile "internal"
03.10.2016, 09:37, "Martin Perina" <[email protected]>:
On Mon, Oct 3, 2016 at 8:18 AM, <[email protected]> wrote:Hello, MartinBefore I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox.Kerberos authentication NOT working with oVirt Web-Portals.I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos.
It is impossible ??It's possible and it's working fine when everything is properly set up. But please bear in mind kerberos SSO is one of the most complicated oVirt setup, but usually the error is on kerberos side (environment issues on the client).
So, you are saying that using curl you are able to access API using kerberos ticket but when you try to access the same API from the browser it does not work, right?I don't use IE, but you need to set following options in "about:config" URL for Firefox to work properly with kerberos:
network.negotiate-auth.delegation-uris = .ad.holding.com
network.negotiate-auth.trusted-uris = .ad.holding.com
If you have those options set, what exactly happen when you try to access https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/apiin Firefox?
Martin Perina
03.10.2016, 09:08, "Martin Perina" <[email protected]>:Hi Aleksey,
in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?
Regards
Martin Perina
> # kinit aleksey
>
> Password for [email protected]: ***
>
> # klist
>
> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> Default principal: [email protected]
>
> Valid starting Expires Service principal
> 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/[email protected]
> renew until 10/07/2016 16:50:29
>
>
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -khttps://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <api>
> ... output truncated ...
> </api>
>
> It Works.
> The browsers are configured.
> Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox
On Mon, Oct 3, 2016 at 7:37 AM, <[email protected]> wrote:
Up
30.09.2016, 18:55, "[email protected]" <[email protected]>:
> Any other ideas?
_______________________________________________
Users mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/users
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings [email protected]
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings [email protected]
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/ATPIRCDGWQPGJLEVBXGYS7YTHVWYHREU/
