> On 23 Mar 2017, at 16:01, kerberos-requ...@mit.edu wrote: > > Message: 4 > Date: Thu, 23 Mar 2017 13:26:05 +0000 > From: Giuseppe Mazza <g.ma...@imperial.ac.uk> > Subject: single sign on problem on macOS Sierra (Version10.12.3) > client > To: kerberos@mit.edu > Message-ID: <eabbaf42-b885-de5f-9948-fc11b182d...@imperial.ac.uk> > Content-Type: text/plain; charset=utf-8; format=flowed > > Hello there, > > I have tried to implement single-sign-on on a my macbook. > > What I can: > - I can kinit and get a valid ticket > - I can ssh into a linux machine part of my realm without I am asked for > a password > > What I can *not*: > - browse a webpage even if I have kinit-ed successfully. > When I access my url, i.e. https://intranet.example.com > I am prompted with a window asking for my username and password. > Moreover I have got no entry in /var/log/krb5kdc.log on my kerberos master. > > I am sure the apache server is well configured. If I try to access the > same webpage from a linux client, it will work. > > My questions are > - what is the authentication mechanism used by firefox to use Kerberos > for SSO? is it GSS-API?
It's using the GSS-API SPNEGO mechanism over HTTP, RFC 4559 describes how the mechanism is used for HTTP authentication. > I am asking because it seems to me that my macbook does not manage to > contact my kerberos server in the first place. > - has anybody manage to configure supported browsers for Kerberos sso > and apache on macOS clients? > Yes, if you're using Firefox you should read https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication and set the preferences mentioned on that page to whitelist the URLs you want to use HTTP Negotiate auth with. Firefox will not try Negotiate by default. Chrome requires whitelisting servers too, using this setting: https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist > > Kind regards, > Giuseppe ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
