Re: kerberos/spnego sso closer

2006-09-05 Thread John User
Maybe a step closer: when running ktpass used crypto type des-crc-md5 There is now a session ticket avaiable to both IE and firefox. (Now the issue is to undo all the changes that were attempted in tracing this issue) --- Michael B Allen <[EMAIL PROTECTED]> wrote: > On Tue, 5 Sep 2006 16:38:24

Re: kerberos/spnego sso

2006-09-05 Thread Michael B Allen
On Tue, 05 Sep 2006 21:37:03 -0400 Evan Vittitow <[EMAIL PROTECTED]> wrote: > The capabilities of FireFox and IE are different. IE has to use NTLM. > (with Apache's mod_auth_ntlm FireFox uses mod_auth_kerb with spnego. IE and Firefox each support both NTLM and Kerberos. -- Michael B Allen PHP A

Re: kerberos/spnego sso

2006-09-05 Thread Michael B Allen
On Tue, 5 Sep 2006 16:38:24 -0700 (PDT) John User <[EMAIL PROTECTED]> wrote: > > > Neither IE nor firefox make any attempt to get a > > > session ticket, - though they do send something > > > encrtpted back in response. > > > > The client probably already had the ticket so no > > comm. with KDC w

Re: kerberos/spnego sso

2006-09-05 Thread Evan Vittitow
This is the exact thing I'm dealing with with Kerberos and Egroupware. The capabilities of FireFox and IE are different. IE has to use NTLM. (with Apache's mod_auth_ntlm FireFox uses mod_auth_kerb with spnego. To get that working, the site you are connecting to has to be a "Trusted URI" in the neg

Re: kerberos/spnego sso

2006-09-05 Thread John User
--- Markus Moeller <[EMAIL PROTECTED]> wrote: > You say WLS replies with Negotiate to the client, > which means from there on > the client has to decide to use Kerberos and if so > request a TGS. So it > seems for some reason your client decidess to reject > Kerberos as an option > and select

Re: kerberos/spnego sso

2006-09-05 Thread Markus Moeller
You say WLS replies with Negotiate to the client, which means from there on the client has to decide to use Kerberos and if so request a TGS. So it seems for some reason your client decidess to reject Kerberos as an option and selects immediatly NTLM. Did you try it from another client machine ?

Re: kerberos/spnego sso

2006-09-05 Thread John User
These have been changed to reflect the appropriate host sought. Though that brings to mind the question: IE defaults to ntlm, is this also the case for firefox?? --- "Thomas A. La Porte" <[EMAIL PROTECTED]> wrote: > What is the value of > "network.negotiate-auth.trusted-uris" in > Firefox (typ

Re: kerberos/spnego sso

2006-09-05 Thread John User
These things have been performed. Absolutely no packet goes from client to kdc (and no session ticket exists prior) for the sought after hostname. (though as mentioned in the first email other tickets exist on client, so we know kerberos is functioning and client does know the kdc). --- Markus M

Re: kerberos/spnego sso

2006-09-05 Thread Thomas A. La Porte
What is the value of "network.negotiate-auth.trusted-uris" in Firefox (type "about:config" in the URL location bar to see the value). If it's blank, Firefox won't attempt SPNEGO authentication with any web sites. -- Tom Thomas A. La Porte, DreamWorks Animation On

Re: kerberos/spnego sso

2006-09-05 Thread John User
--- Michael B Allen <[EMAIL PROTECTED]> wrote: > On Mon, 4 Sep 2006 13:31:58 -0700 (PDT) > John User <[EMAIL PROTECTED]> wrote: > > > I am having no luck setting up kerberos/spnego > sso: > > The players: > > > > win2k3 AD box > > win xp client running IE 6 and latest firefox > > Weblogic 8.1

Re: kerberos/spnego sso

2006-09-05 Thread Markus Moeller
I guess you checked already the Browser configurations. (On IE Windows Integrate authentication enabled and the domain added to the trusted or local intranet zone, On firefox set network-negotiate-auth.trusted-uris and/or network.negotiate-auth.delegation-uris). Check also with kerbtray if you

Re: krb5 malformed over satellite link

2006-09-05 Thread Douglas E. Engert
He could try forcing the use of TCP by adding udp_preference_limit = 1 to the krb5.conf [libdefaults] i.e. al packets over 1 byte will try TCP before UDP. Since Active directory is going to return a PAC in the ticket, most tickets will be big and will need to fall over to using TCP anyway. Marku

Re: krb5 malformed over satellite link

2006-09-05 Thread Markus Moeller
Do you use a IPSEC VPN over the satelite link or is the mtu smaller than 1500 bytes ? This might be a problem if the already fragmented packet has to be fragmented again. Regards Markus "Sandeep Bhardwaj" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > hi > > we are trying to m

Re: Delegation w/ Java

2006-09-05 Thread Michael B Allen
On Tue, 05 Sep 2006 11:50:52 -0700 Seema Malkani <[EMAIL PROTECTED]> wrote: > Support for RC4-HMAC is available starting from J2SE 5.0 Update 7. > 3) Update Kerberos configuration file to include following: > [libdefaults] > default_tkt_enctypes = rc4-hmac > default_tgs_enctypes = rc4-hmac Hi S

Re: kerberos/spnego sso

2006-09-05 Thread Michael B Allen
On Mon, 4 Sep 2006 13:31:58 -0700 (PDT) John User <[EMAIL PROTECTED]> wrote: > I am having no luck setting up kerberos/spnego sso: > The players: > > win2k3 AD box > win xp client running IE 6 and latest firefox > Weblogic 8.1 on a redhat box. > Client trying to access resource on WLS: > > tcpdu

Re: Delegation w/ Java

2006-09-05 Thread Seema Malkani
Support for RC4-HMAC is available starting from J2SE 5.0 Update 7. However your account is setup for "DES" only. The native TGT in the ticket cache has EType of DES. Ensure the Kerberos configuration is setup to define the enctypes as per the Active Directory account settings. To use RC4-HMAC K

Transferring a secure context

2006-09-05 Thread Olfmatic
Hello, I am trying to transfer a secure GSSContext after I established it so I can use it later to encrypt a session ID. But when I want to do this with the recreated GSSContext, I get an exception that says, that the mechanism context wasn't set yet. What am I doing wrong? This is how I do it

kerberos/spnego sso

2006-09-05 Thread John User
I am having no luck setting up kerberos/spnego sso: The players: win2k3 AD box win xp client running IE 6 and latest firefox Weblogic 8.1 on a redhat box. Client trying to access resource on WLS: tcpdump shows WLS sending "WWW-Authenticate : Negotiate" in response to request for the protected res

krb5 malformed over satellite link

2006-09-05 Thread Sandeep Bhardwaj
hi we are trying to make active directory set up of windows over the satellite link to work ever thing is working excpet that my krb5 TGS-REQ packet comes fragmented 1514(ip) and 61(udp) and when it reaches the other side- server side it losses the encrypted heade and sniffer shows the packet as

Active Directory + Kerberos Question

2006-09-05 Thread ninjabytes
Hello, I was wondering if you guys know if there is *any* thing that could retrieve Active Directory atributes through JAVA from Linux, actually running CENTRIFY (www.centrify.com) which uses KERBEROS. Thank you guys Kerberos mailing list