[37915] in Kerberos
Re: Kerberos Digest, Vol 171, Issue 14
daemon@ATHENA.MIT.EDU (Hugh Cole-Baker)
Thu Mar 23 12:23:33 2017
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Hugh Cole-Baker <sigmaris@gmail.com>
In-Reply-To: <mailman.771.1490284885.14782.kerberos@mit.edu>
Date: Thu, 23 Mar 2017 16:23:13 +0000
Message-Id: <64FEC26D-8DD9-46A8-8DC5-FAD270AC1650@gmail.com>
To: Giuseppe Mazza <g.mazza@imperial.ac.uk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On 23 Mar 2017, at 16:01, kerberos-request@mit.edu wrote:
>
> Message: 4
> Date: Thu, 23 Mar 2017 13:26:05 +0000
> From: Giuseppe Mazza <g.mazza@imperial.ac.uk>
> Subject: single sign on problem on macOS Sierra (Version10.12.3)
> client
> To: kerberos@mit.edu
> Message-ID: <eabbaf42-b885-de5f-9948-fc11b182d2e8@imperial.ac.uk>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hello there,
>
> I have tried to implement single-sign-on on a my macbook.
>
> What I can:
> - I can kinit and get a valid ticket
> - I can ssh into a linux machine part of my realm without I am asked for
> a password
>
> What I can *not*:
> - browse a webpage even if I have kinit-ed successfully.
> When I access my url, i.e. https://intranet.example.com
> I am prompted with a window asking for my username and password.
> Moreover I have got no entry in /var/log/krb5kdc.log on my kerberos master.
>
> I am sure the apache server is well configured. If I try to access the
> same webpage from a linux client, it will work.
>
> My questions are
> - what is the authentication mechanism used by firefox to use Kerberos
> for SSO? is it GSS-API?
It's using the GSS-API SPNEGO mechanism over HTTP, RFC 4559 describes how
the mechanism is used for HTTP authentication.
> I am asking because it seems to me that my macbook does not manage to
> contact my kerberos server in the first place.
> - has anybody manage to configure supported browsers for Kerberos sso
> and apache on macOS clients?
>
Yes, if you're using Firefox you should read
https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication
and set the preferences mentioned on that page to whitelist the URLs
you want to use HTTP Negotiate auth with. Firefox will not try Negotiate by
default.
Chrome requires whitelisting servers too, using this setting:
https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist
>
> Kind regards,
> Giuseppe
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
