[30307] in Kerberos

home help back first fref pref prev next nref lref last post

Re: spnego

daemon@ATHENA.MIT.EDU (Tuomas)
Tue Sep 16 16:39:28 2008

From: Tuomas <tuomaksen.spammiposti@gmail.com>
MIME-Version: 1.0
In-Reply-To: <mailman.15.1221156129.29003.kerberos@mit.edu>
Message-ID: <ctUzk.66733$_03.50762@reader1.news.saunalahti.fi>
Date: Tue, 16 Sep 2008 23:15:04 +0300
X-Complaints-To: newsmaster@saunalahti.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Michael B Allen wrote:
> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
> <tuomaksen.spammiposti@gmail.com> wrote:
>> I also found out using wireshark what Internet Explorer does when it
>> fails to authenticate using Kerberos. It asks a ticket from the Active
>> Directory server for HTTP/virtualhost.domain.com instead of
>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has
>> anyone found solutions for this?
> 
> That's not a bug. You will need to add SPNs to the desired account
> (using setspn) for each virtual hostname.

I see, just can't understand why this is happening occasionally. At 
least it makes things harder.

Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still 
didn't work as they should. Now i apache's error.log I get:
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code 
may provide more information (Key table entry not found)

I understand that I should have also virtualhost.domain.com defined in 
my keytab, just don't have any idea how to do that.

Thanks for all the help!
-Tuomas
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post