> On 23 Mar 2017, at 16:01, [hidden email] wrote:
> Message: 4
> Date: Thu, 23 Mar 2017 13:26:05 +0000
> From: Giuseppe Mazza <[hidden email]>
> Subject: single sign on problem on macOS Sierra (Version10.12.3)
> To: [hidden email] > Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
> Hello there,
> I have tried to implement single-sign-on on a my macbook.
> What I can:
> - I can kinit and get a valid ticket
> - I can ssh into a linux machine part of my realm without I am asked for
> a password
> What I can *not*:
> - browse a webpage even if I have kinit-ed successfully.
> When I access my url, i.e. https://intranet.example.com > I am prompted with a window asking for my username and password.
> Moreover I have got no entry in /var/log/krb5kdc.log on my kerberos master.
> I am sure the apache server is well configured. If I try to access the
> same webpage from a linux client, it will work.
> My questions are
> - what is the authentication mechanism used by firefox to use Kerberos
> for SSO? is it GSS-API?
It's using the GSS-API SPNEGO mechanism over HTTP, RFC 4559 describes how
the mechanism is used for HTTP authentication.
> I am asking because it seems to me that my macbook does not manage to
> contact my kerberos server in the first place.
> - has anybody manage to configure supported browsers for Kerberos sso
> and apache on macOS clients?