[37313] in Kerberos

home help back first fref pref prev next nref lref last post

Re: SPNEGO question

daemon@ATHENA.MIT.EDU (Rick van Rein)
Mon Nov 9 17:40:04 2015

Message-ID: <564120AB.7050802@openfortress.nl>
Date: Mon, 09 Nov 2015 23:39:39 +0100
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: Pascal Jakobi <pascal.jakobi@gmail.com>
In-Reply-To: <56411911.8090601@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi Pascal,

> I was able to have it to work (with firefox) when calling simple URI
> such as http://host.domain.tld but not when calling
> http://host.domain.tld/test_dir.

That surprises me.  I've been putting host.fqdn.names and .domain.names
into the network.negotiate-auth.trusted-uris field in about:config and
not full URIs as the field name suggests, so I wonder how the path could
be of influence.

> I did change the negotiate URI field in firefox configuration,

You were trying to setup the path in the trusted-uris field?  That is
not the idea, I think.

The use of trusted-uris is to setup hosts that may receive the Kerberos
tickets, and the path underneath is hardly considered a distribution
across operational boundaries, so it has no real impact on trust.

If your intention is to only pickup the ticket for certain paths, then
you should leave the trusted-uris set to the entire webhost, and setup
the server to only request SPNEGO authentication for the paths that it
considers protected resources.

> but did
> not touch the service keytab (HTTP/<host>). My guess is that the problem
> is there...
>
You cannot change the service keytab for paths; it only mentions the
service name and the server hostname.

> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>
Not sure what you're asking.  SPNEGO trusted-uris on FireFox are setup
for hostnames AFAIK, and within a server you get to choose when to
trigger SPNEGO by demanding authentication.

> If someone could clarify, this would be more than useful...
>
I hope this helps.


Cheers,
 -Rick
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post