[24538] in Kerberos
Re: windows browsers send ntlm instead of kerberos tokens
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Mon Aug 29 11:29:46 2005
Date: Mon, 29 Aug 2005 11:28:34 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Wyllys Ingersoll <wyllys.ingersoll@sun.com>,
Julien ALLANOS <julien.allanos@aql.fr>
Message-ID: <581DF4DA2F116CD8D5C7B0D6@bistromath.pc.cs.cmu.edu>
In-Reply-To: <43131B93.6060302@sun.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
On Monday, August 29, 2005 10:28:35 -0400 Wyllys Ingersoll
<wyllys.ingersoll@sun.com> wrote:
>
> By default, Firefox will only perform GSSAPI (negotiate-auth)
> authentication
> when the protocol is 'https://'.
>
> Check the "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
> and
> make sure that you allow "http://" as well as "https://" if you are
> accessing
> non-SSL protected sites.
>
> network.negotiate-auth.delegation-uris = "https://,http://"
> network.negotiate-auth.trusted-uris = "https://,http://"
Aaaa! No! Don't do this unless you _absolutely_ need this ability.
Running HTTP negotiate over a plaintext connection is _not secure_. It
provides no integrity protection and is subject to a relatively easy
man-in-the-middle attack.
If the problem is indeed that the connection is not using SSL, the correct
solution is to change that service to use SSL.
If you absolutely must use HTTP negotiate with a service that is not using
SSL and which you do not control, then turning on negotiate support for
non-SSL connections may be your only choice.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos