[38816] in Kerberos
Re: kerberos and web authentication
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Aug 21 22:27:10 2020
Date: Fri, 21 Aug 2020 19:24:04 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rita <rmorgan466@gmail.com>
Message-ID: <20200822022404.GC92412@kduck.mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAOF-KfjFUB90JzpmMUDCFRQrRPAfxTZiOc8a8pSmDmZS5jEe=w@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Aug 21, 2020 at 08:04:24PM -0400, Rita wrote:
> hi
>
> The webserver has DNS aliases but not multiple IPs. On a client level is it
(temporarily) forcing the name to resolve to just a single IP, e.g., via
/etc/hosts, would be one possible diagnostic measure.
> possible to disable the reverse lookup? I am not sure if its backed up a
See the 'rdns' keyword at
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#libdefaults
> pool of servers -- is there a way to find out from a client?
In general, no; one can make inferences from careful inspection of response
headers, request/response timing for exchanges that require server-side
state, and the like, but it may require some expertise to interpret the
results.
-Ben
> On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
> > On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> > > I created a user keytab. I use curl to authenticate against a web server.
> > > `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> > > trying to figure out if its a webserver issue or kerberos issue. Is there
> > > anything else I can do?
> >
> > There's (at least) a couple things that can come into play for this sort of
> > scenario (not least because HTTP Negotiate violates some fundamental
> > assumptions about message- vs. connection-oriented):
> >
> > Does the web server's hostname have multiple IP addresses in the DNS? (Is
> > reverse DNS used for principal canonicalization by the krb5 library? The
> > default is "yes" in many versions.)
> >
> > Does the web server have a pool of backend servers behind a load balancer?
> >
> > -Ben
> >
>
>
> --
> --- Get your facts first, then you can distort them as you please.--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
