[24539] in Kerberos

home help back first fref pref prev next nref lref last post

Re: windows browsers send ntlm instead of kerberos tokens

daemon@ATHENA.MIT.EDU (Wyllys Ingersoll)
Mon Aug 29 11:35:22 2005

Message-ID: <43132A6A.9070308@sun.com>
Date: Mon, 29 Aug 2005 11:31:54 -0400
From: Wyllys Ingersoll <wyllys.ingersoll@sun.com>
MIME-Version: 1.0
To: Jeffrey Hutzelman <jhutz@cmu.edu>
In-Reply-To: <581DF4DA2F116CD8D5C7B0D6@bistromath.pc.cs.cmu.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

Jeffrey Hutzelman wrote:

>>
>> By default, Firefox will only perform GSSAPI (negotiate-auth)
>> authentication
>> when the protocol is 'https://'.
>>
>> Check the "network.negotiate-auth.delegation-uris" and
>> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
>> and
>> make sure that you allow "http://" as well as "https://" if you are
>> accessing
>> non-SSL protected sites.
>>
>> network.negotiate-auth.delegation-uris = "https://,http://"
>> network.negotiate-auth.trusted-uris = "https://,http://"
>
>
> Aaaa!  No!  Don't do this unless you _absolutely_ need this ability.
>
> Running HTTP negotiate over a plaintext connection is _not secure_.  
> It provides no integrity protection and is subject to a relatively 
> easy man-in-the-middle attack.


I totally agree with Jeff, that is why SSL is the default setting for 
Firefox.  I was just pointing
out one possible reason why the test was not working for the original 
poster.

-Wyllys

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post