--- Michael B Allen <[EMAIL PROTECTED]> wrote:
> On Mon, 4 Sep 2006 13:31:58 -0700 (PDT) > John User <[EMAIL PROTECTED]> wrote: > > > I am having no luck setting up kerberos/spnego > sso: > > The players: > > > > win2k3 AD box > > win xp client running IE 6 and latest firefox > > Weblogic 8.1 on a redhat box. > > Client trying to access resource on WLS: > > > > tcpdump shows WLS sending "WWW-Authenticate : > > Negotiate" in response to request for the > protected > > resource from IE (and firefox) > > Neither IE nor firefox make any attempt to get a > > session ticket, - though they do send something > > encrtpted back in response. > > The client probably already had the ticket so no > comm. with KDC was > necessary. You should see the client submit > 'Authorization: Negotiate > YIIExka83jsmd...more base64 encoded data'. > klist on client shows no ticket to HTTP/hostname If run under IE I get a logon screen. Under Firefox I get nothing. I am assuming that the client is defaulting and returning not spnego/kerberos, but spnego/NTLM. One question I have is whether WebLogic needs to add anything to "Negotiate"? Is this sufficient for IE to run the default spnego/kerberos packets? > > There is no other > > WWW-Authenticate header being sent. > > klist shows the client machine does have a tgt. > > Any hints on how to debug, or has anyone had a > similar > > experience?? > > I have gone through all of the basic documented > steps: > > creation of AD user for WL box, keytabfiles, JAAS > > config files... and the various changes on client > > browsers. > > Sounds like it could be working. What exactly > indicates to you that it > is not? > > Mike > > -- > Michael B Allen > PHP Active Directory SSO > http://www.ioplex.com/ > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
