[27097] in Kerberos
RE: Using kerberos ticket on web browsers
daemon@ATHENA.MIT.EDU (Tim Alsop)
Wed Dec 6 11:23:31 2006
MIME-Version: 1.0
Date: Wed, 6 Dec 2006 16:22:27 -0000
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D3029969E@postman-pat.csafe.local>
In-Reply-To: <20061206134309.M11132@prodesan.com.br>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Com>
To: "Diego Lima" <diego-lima@prodesan.com.br>,
"Julio Cesar Parra/Mexico/IBM" <jcparra@mx1.ibm.com>,
"Kerberos Mail List" <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Diego,
What URL are you using when you request access to the web site ? E.g. if you enter http://server.domain.com, the browser will request a service ticket called HTTP/server.domain.com@<DEFAULT-REALM>. Perhaps you can check if the cache on workstation contains this ticket after you attempt to logon ?
Thanks,
Tim
-----Original Message-----
From: Diego Lima [mailto:diego-lima@prodesan.com.br]
Sent: 06 December 2006 14:15
To: Tim Alsop; Julio Cesar Parra/Mexico/IBM; Kerberos Mail List
Subject: RE: Using kerberos ticket on web browsers
On Tue, 5 Dec 2006 19:41:23 -0000, Tim Alsop wrote
> It is not possible to configure IE to use anything other than LSA
> for getting credentials, however Firefox can be configure to use a
> GSS-API library
Thank you for your tip, I was able to find some documents regarding
configuring firefox by searching "firefox gss-api" on google. I've set the
following options on about:config :
network.negotiate-auth.gsslib C:\Arquivos de
programas\MIT\Kerberos\lib\i386\gssapi32.lib
network.negotiate-auth.trusted-uris http://, https://
network.negotiate-auth.using-native-gsslib false
I've got a valid ticket on krb5cc but I'm still getting permission denied on
the protected webpage, although I can access it from a linux machine using the
same principal.
I've sniffed the packets and I see that firefox is answering the negotiate
request with a "NTLMSSP_NEGOTIATE" request, whereas on linux I don't see the
NTLMSSP part.
Here is the answer firefox gives:
!FE_2@?Po)whP@$GET /apache2-default/protegido HTTP/1.1
Host: 192.168.130.222
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1)
Gecko/20061010 Firefox/2.0
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
NTLMSSP(
I have already tried to restart firefox but I'm still getting this error. I
have tried to acquire other tickets, but I get the same error, even with the
same negotiate identification (if that's indeed some kind of id).
Am I missing something? Do I have to configure MIT's gss api with anything
other than krb5.ini on my windows directory?
--
Diego Alencar Alves de Lima
DINF - Prodesan (http://www.prodesan.com.br)
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)
--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
