It supports pkcs11.
http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html?highlight=pkcs11
-Christopher
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Huang, Peter (HP-IT Palo Alto)
Sent: Tuesday, April 01, 2014 7:52 A
mod_auth_kerb works, most of the updates nowadays come from Redhat and others
within a specific linux distro. So you can install using your distro specific
package manager. I believe redhat puts their patches in the srpms if want to
compile their latest for a different platform.
>>and it wou
What does this return?
kvno -e des-cbc-md5 sapldap/ads.company@company.com
-Christopher
-Original Message-
From: Ray Vand [mailto:ray_v...@filemaker.com]
Sent: Monday, April 22, 2013 4:46 PM
To: Nebergall, Christopher
Cc: Benjamin Kaduk; kerberos@mit.edu
Subject: Re: [EXTERNAL] Re
Do you need to have allow_weak_crypto = true set in your krb5.conf?
-Christopher
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Ray Vand
Sent: Monday, April 22, 2013 3:38 PM
To: Benjamin Kaduk
Cc: kerberos@mit.edu
Subject: [EXTERNAL] Re:
within the IETF.
ticket: 7026
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488
dc483132-0cff-0310-8789-dd5450dbe970
:04 04 b66f21d675fdcbe7427ba0140d73185e7134a4e0
a59cdbe0e1c273bd63a68f8dfb1c8e21ceb31364 M src
-Original Message-
From: Nebergall, Christopher
ough mod_proxy.
Thanks for your help!
-Christopher
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Wednesday, March 13, 2013 10:08 AM
To: Nebergall, Christopher
Cc: kerberos@mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential
Caching
oun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Nebergall, Christopher
Sent: Tuesday, March 12, 2013 3:04 PM
To: Greg Hudson
Cc: kerberos@mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential
Caching
Thank you I believe that will be very helpful but I'm
enticate the user - it
just gets the identity from the apache request rec. Does that make sense?
-Topher
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Tuesday, March 12, 2013 9:21 PM
To: Nebergall, Christopher
Cc: kerberos@mit.edu
Subject: RE: [EXTERNAL] Re
rom: Simo Sorce [mailto:s...@redhat.com]
Sent: Tuesday, March 12, 2013 4:03 PM
To: Nebergall, Christopher
Cc: kerberos@mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
On Tue, 2013-03-12 at 00:23 +0000, Nebergall, Christopher wrote:
> Does anyone have any tip
nformation
gss_acquire_cred_impersonate_name: KDC has no support for padata type
-Christopher
-Original Message-
From: Greg Hudson [mailto:ghud...@mit.edu]
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos@mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential C
Does anyone have any tips on copying the credentials created from Kerberos
constrained delegation to a credentials cache file and back in again? In the
example krb5-1.10.3/src/tests/gssapi/t_s4u.c at near the end of
contrainedDelegate function after the gss_init_sec_context tried to copy the
I haven't tested that configuration but it should work. Is apache webserver
on the same system as tomcat? If not, then the client may be requesting the
wrong key - and you could end up attempting the wrong key or NTLM rather than
Kerberos. You can set up wireshark at each of the hops to ve
No, you shouldn't cache it or will be seen to be a replay attack.There is
no reason it needs to contact the KDC again to generate another token after the
first request where it gets a service ticket. Generally IIS only needs 1
Spnego token per connection, while mod_auth_kerb in apache want
Firefox is running on the same windows install as IE? On windows Firefox uses
Windows's Kerberos by default so if it is set up correctly it should act the
same as IE.
Set up Firefox like this.
network.negotiate-auth.trusted-uris=example.com
network.negotiate-auth.delegation-uris=example.com
ne
- Original Message -
From: Chris Hecker [mailto:chec...@d6.com]
Sent: Tuesday, August 09, 2011 01:39 PM
To: kerberos@mit.edu
Subject: Re: Performance issues with krb5-1.9.1
Ah, yeah, my tests had krb5kdc at about 50% of one core (slapd was an
additional 15%), but it wasn't completely
Does anyone know anything about the (partial?) pkinit implementation in
Mac's version of MIT Kerberos? How close is it to working?
-Christopher
-Original Message-
From: Paul Nelson
Sent: Tuesday, February 14, 2006 1:01 PM
To: Nebergall, Christopher; Timothy J. Miller; Brian Raymo
Did anyone have any luck with GSSAPI in SMTP and POP? This suggests
that they support it.
http://www.msexchange.org/tutorials/Telnet-Exchange2003-POP3-SMTP-Troubl
eshooting.html
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ken Hornstein
Sent: Monday
Are there ANY mail client programs besides MS Outlook on any OS which support
kerberos ticket authentication to Microsoft exchange?
Does MS even use the standard gssapi sasl for IMAP?
-Christopher Nebergall
Kerberos mailing list Kerberos@
Thanks for the information. Does MIT intend to implement the standard
once it's finalized?
-Christopher
-Original Message-
From: Sam Hartman [mailto:[EMAIL PROTECTED]
Sent: Friday, December 03, 2004 10:42 AM
To: Nebergall, Christopher
Cc: [EMAIL PROTECTED]
Subject: Re: PKINIT Sta
Does anyone now how close the PKINIT draft is to being a final version?
What mailing lists should I join to keep up on this?
http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-21.t
xt
Thanks,
Christopher
--
Christopher Nebergall
[EMAIL PROTEC
.
-Christopher
-Original Message-
From: Scott Moseman [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 26, 2004 9:21 AM
To: 'Nebergall, Christopher'; [EMAIL PROTECTED]
Subject: RE: Fedora2/Apache2 and Key Version Error
We blew away all service accounts in AD (2003) and removed
You can use ethereal a packet sniffer.
http://www.ethereal.com/
But that is not your problem, from your error messages Apache it is sending
the header fine. The problem occurs later when the web server is trying to
process the token sent from the browser.
gss_accept_sec_context() failed: Miscell
I've been tracking a bug on Mozilla about there recent support of kerberos
for web authentication but it may at some point also be used for
authentication to mail servers. The Mozilla releases are compiled on a
stock RH 7 box and the negotiateauth extensions is linked dynamically
against its (real
>>>Kerberos fits in best as an AuthN system. It can very easily tie into
LDAP which can support your AuthZ needs.
This is true within a single enterprise. LDAP support for authorization
becomes more difficult once you are talking about federation between
different organizations. It requires yo
libcom_err.so should be part of any Kerberos rpm package (I don't know if it
requires the dev packages). I did a search for this on the web for Mandrake
and most of my results were for old versions of Kerberos, but the Mozilla
extension has been tested with krb5-1.2.7 and newer, so you should be ab
Is there a way to programmatically or in a configuration file to disable Mac
OS X auto-prompting for the user's kerberos password?
I'm interested in only disabling auto-prompting in one particular
application.
Thanks,
Christopher Nebergall
Kerbero
If you hammer on a page with Internet Explorer it will send what MIT
Kerberos considers replays of the gss-init-sec-context tokens. So in order
to get around this you either need to always use SSL and disable the replay
cache on the server, (Which unless the api has changed in recent versions of
M
27 matches
Mail list logo
