[37313] in Kerberos
Re: SPNEGO question
daemon@ATHENA.MIT.EDU (Rick van Rein)
Mon Nov 9 17:40:04 2015
Message-ID: <564120AB.7050802@openfortress.nl>
Date: Mon, 09 Nov 2015 23:39:39 +0100
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: Pascal Jakobi <pascal.jakobi@gmail.com>
In-Reply-To: <56411911.8090601@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Pascal,
> I was able to have it to work (with firefox) when calling simple URI
> such as http://host.domain.tld but not when calling
> http://host.domain.tld/test_dir.
That surprises me. I've been putting host.fqdn.names and .domain.names
into the network.negotiate-auth.trusted-uris field in about:config and
not full URIs as the field name suggests, so I wonder how the path could
be of influence.
> I did change the negotiate URI field in firefox configuration,
You were trying to setup the path in the trusted-uris field? That is
not the idea, I think.
The use of trusted-uris is to setup hosts that may receive the Kerberos
tickets, and the path underneath is hardly considered a distribution
across operational boundaries, so it has no real impact on trust.
If your intention is to only pickup the ticket for certain paths, then
you should leave the trusted-uris set to the entire webhost, and setup
the server to only request SPNEGO authentication for the paths that it
considers protected resources.
> but did
> not touch the service keytab (HTTP/<host>). My guess is that the problem
> is there...
>
You cannot change the service keytab for paths; it only mentions the
service name and the server hostname.
> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>
Not sure what you're asking. SPNEGO trusted-uris on FireFox are setup
for hostnames AFAIK, and within a server you get to choose when to
trigger SPNEGO by demanding authentication.
> If someone could clarify, this would be more than useful...
>
I hope this helps.
Cheers,
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
