[37314] in Kerberos
Re: SPNEGO question
daemon@ATHENA.MIT.EDU (Pascal Jakobi)
Tue Nov 10 11:27:29 2015
Message-ID: <5641A55B.1040607@yahoo.fr>
Date: Tue, 10 Nov 2015 09:05:47 +0100
From: Pascal Jakobi <pjakobi@yahoo.fr>
MIME-Version: 1.0
To: Rick van Rein <rick@openfortress.nl>,
Pascal Jakobi <pascal.jakobi@gmail.com>
In-Reply-To: <564120AB.7050802@openfortress.nl>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Got it. Thxs.
Le 09/11/2015 23:39, Rick van Rein a écrit :
> Hi Pascal,
>
>> I was able to have it to work (with firefox) when calling simple URI
>> such as http://host.domain.tld but not when calling
>> http://host.domain.tld/test_dir.
> That surprises me. I've been putting host.fqdn.names and .domain.names
> into the network.negotiate-auth.trusted-uris field in about:config and
> not full URIs as the field name suggests, so I wonder how the path could
> be of influence.
>
>> I did change the negotiate URI field in firefox configuration,
> You were trying to setup the path in the trusted-uris field? That is
> not the idea, I think.
>
> The use of trusted-uris is to setup hosts that may receive the Kerberos
> tickets, and the path underneath is hardly considered a distribution
> across operational boundaries, so it has no real impact on trust.
>
> If your intention is to only pickup the ticket for certain paths, then
> you should leave the trusted-uris set to the entire webhost, and setup
> the server to only request SPNEGO authentication for the paths that it
> considers protected resources.
>
>> but did
>> not touch the service keytab (HTTP/<host>). My guess is that the problem
>> is there...
>>
> You cannot change the service keytab for paths; it only mentions the
> service name and the server hostname.
>
>> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>>
> Not sure what you're asking. SPNEGO trusted-uris on FireFox are setup
> for hostnames AFAIK, and within a server you get to choose when to
> trigger SPNEGO by demanding authentication.
>
>> If someone could clarify, this would be more than useful...
>>
> I hope this helps.
>
>
> Cheers,
> -Rick
>
--
Pascal Jakobi <mailto:pjakobi@yahoo.fr>
116 rue de Stalingrad
93100 Montreuil, France
Tel : +33 6 87 47 58 19
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
