[27102] in Kerberos
Re: Using kerberos ticket on web browsers
daemon@ATHENA.MIT.EDU (Achim Grolms)
Wed Dec 6 12:50:21 2006
From: Achim Grolms <kerberosml@grolmsnet.de>
To: "Diego Lima" <diego-lima@prodesan.com.br>
Date: Wed, 6 Dec 2006 18:49:53 +0100
In-Reply-To: <20061206172043.M29312@prodesan.com.br>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200612061849.56054.kerberosml@grolmsnet.de>
Cc: Kerberos Mail List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wednesday 06 December 2006 18:29, Diego Lima wrote:
> network.auth.use-sspi true
if true this means Firefox uses the Win32-API (calles SSPI).
Set this to false to use a 3rd party GSSAPI.
(automatically switches network.negotiate-auth.using-native-gsslib
to 'true', this works like a flip-flop)
> network.negotiate-auth.gsslib [path to
> KfW]\lib\i386\gssapi32.lib
Never used this, blank in my setup.
>> network.negotiate-auth.trusted-uris
> http://, https://
in my setup I put my local domains into it I am using
for GSSAPI-based Authentication.
As far as I know Kerberos5 always needs proper configured
hostnames (FQDNs in principals and keytabs), so putting in
your local DNS-domain(s) will be no problem. or?
BTW: does the kvno test work?
I am using it to detect if the underlying GSSAPI works
in general.
> network.negotiate-auth.using-native-gsslib false
Switch this to "true" to make KfW work.
> As far as I understood (I'm probably wrong at some point)
> negotiate-auth.gsslib should be telling which SSPI firefox should use,
> right? Do I need to change anything else?
This is blank in my setup.
Achim
--
using mod_auth_kerb and Windows 2000/2003 as KDC:
<http://www.grolmsnet.de/kerbtut/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
