On 01/17/2014 08:02 AM, Morgan Patou wrote: > [Thu Jan 17 09:28:41 2014] [debug] src/mod_auth_kerb.c(1401): [client < VPN > Internal IP>] Client delegated us their credential [...] > It's just like if firefox have to give the ticket to the Apache for each > element that have to be loaded in the browser (css, images, js, ...). So the > page take at least 5 minutes to be completely loaded.
Yeah, traditional Kerberos ticket delegation and HTTP negotiate auth do not mix well. The client fetches a fresh TGT from the KDC for each delegation, adding a bunch of round trips to each HTTP request. If the server does not need a delegated TGT, then just remove the network.negotiate-auth.delegation-uris setting in Firefox and you should get dramatically better performance. If the server does need a delegated TGT in order to act on the client's behalf for some other service, then perhaps you can restrict the delegation-uris setting to just the URLs where a TGT is needed. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
