Re: Kerberos Digest, Vol 171, Issue 14

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Digest, Vol 171, Issue 14

Hugh Cole-Baker

> On 23 Mar 2017, at 16:01, [hidden email] wrote:
>
> Message: 4
> Date: Thu, 23 Mar 2017 13:26:05 +0000
> From: Giuseppe Mazza <[hidden email]>
> Subject: single sign on problem on macOS Sierra (Version10.12.3)
> client
> To: [hidden email]
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hello there,
>
> I have tried to implement single-sign-on on a my macbook.
>
> What I can:
> - I can kinit and get a valid ticket
> - I can ssh into a linux machine part of my realm without I am asked for
> a password
>
> What I can *not*:
> - browse a webpage even if I have kinit-ed successfully.
> When I access my url, i.e. https://intranet.example.com
> I am prompted with a window asking for my username and password.
> Moreover I have got no entry in /var/log/krb5kdc.log on my kerberos master.
>
> I am sure the apache server is well configured. If I try to access the
> same webpage from a linux client, it will work.
>
> My questions are
> - what is the authentication mechanism used by firefox to use Kerberos
> for SSO? is it GSS-API?

It's using the GSS-API SPNEGO mechanism over HTTP, RFC 4559 describes how
the mechanism is used for HTTP authentication.

> I am asking because it seems to me that my macbook does not manage to
> contact my kerberos server in the first place.
> - has anybody manage to configure supported browsers for Kerberos sso
> and apache on macOS clients?
>

Yes, if you're using Firefox you should read
https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication
and set the preferences mentioned on that page to whitelist the URLs
you want to use HTTP Negotiate auth with. Firefox will not try Negotiate by
default.
Chrome requires whitelisting servers too, using this setting:
https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist

>
> Kind regards,
>  Giuseppe

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos