kerberos/spnego sso
John User
johnuser755 at yahoo.com
Tue Sep 5 19:38:24 EDT 2006
--- Michael B Allen <mba2000 at ioplex.com> wrote:
> On Mon, 4 Sep 2006 13:31:58 -0700 (PDT)
> John User <johnuser755 at yahoo.com> wrote:
>
> > I am having no luck setting up kerberos/spnego
> sso:
> > The players:
> >
> > win2k3 AD box
> > win xp client running IE 6 and latest firefox
> > Weblogic 8.1 on a redhat box.
> > Client trying to access resource on WLS:
> >
> > tcpdump shows WLS sending "WWW-Authenticate :
> > Negotiate" in response to request for the
> protected
> > resource from IE (and firefox)
> > Neither IE nor firefox make any attempt to get a
> > session ticket, - though they do send something
> > encrtpted back in response.
>
> The client probably already had the ticket so no
> comm. with KDC was
> necessary. You should see the client submit
> 'Authorization: Negotiate
> YIIExka83jsmd...more base64 encoded data'.
>
klist on client shows no ticket to HTTP/hostname
If run under IE I get a logon screen. Under Firefox I
get nothing.
I am assuming that the client is defaulting and
returning not spnego/kerberos, but spnego/NTLM.
One question I have is whether WebLogic needs to add
anything to "Negotiate"? Is this sufficient for IE to
run the default spnego/kerberos packets?
> > There is no other
> > WWW-Authenticate header being sent.
> > klist shows the client machine does have a tgt.
> > Any hints on how to debug, or has anyone had a
> similar
> > experience??
> > I have gone through all of the basic documented
> steps:
> > creation of AD user for WL box, keytabfiles, JAAS
> > config files... and the various changes on client
> > browsers.
>
> Sounds like it could be working. What exactly
> indicates to you that it
> is not?
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Kerberos
mailing list