Vlad <[email protected]> writes: > You should always use the hostname that is typed in the browser. > Browsers always use the hostname from the URL to request the ticket from > KDC. If you use your actual server name, which will cause the principal > mismatch. And you will get exactly the error you getting.
This is, sadly, not the case. Some browsers do that. Others use the result from doing a forward and then reverse DNS lookup of the hostname. In practice, you need to add HTTP/* principals for both names to the Apache keytab if they differ, and then configure mod_auth_kerb to accept any credential that's available in the keytab. Last time we did testing, Firefox did one thing and IE did the opposite thing, so you'll have substantial numbers of users in both camps. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
