On Fri, 21 Dec 2007, Russ Allbery wrote:
Richard A Nelson <[EMAIL PROTECTED]> writes:
Not quite... my browser is capable of SPNEGO, but did not have a ticket
Therefore, the browser<->server auth should've been in basic mode.
Oh, okay, then yes, that should work.
Then I have a chance :)
mod-auth-kerb, however failed the request since the realm wasn't on its
list of approved realms...
Where is the realm coming from? I think that's the part that confused me.
I was assuming that you were doing SPNEGO, since that would then
authenticate as a fully-qualified principal, but if you're doing basic
auth, how did mod_auth_kerb get a realm? Did you enter one in the
browser?
The basic problem is my companies choice of intranet authentication -
the user's email address (userid@<cc>.company.com) :(
So every userid appears to be a Kerberos realm, but the only valid
realms are listed in the configuration file... everything else
even if resembling a realm, should be handed down to Basic auth where
either LDAP, or FILES will validate it (or not).
IE by default disables SPNEGO to any site that's not in its trusted zone.
That makes sense, it took me a bit to find out how to enable SPNEGO in
firefox, thunderbird, and sunbird... with different notions of defaults
(some https:, some no default) - and a separation of urls to offer
SPNEGO and those to delegate credentials to
--
Rick Nelson
"What does this tell me? That if Microsoft were the last software
company left in the world, 13% of the US population would be scouring
garage sales & Goodwill for old TRS-80s, CPM machines & Apple ]['s before
they would buy Microsoft. That's not exactly a ringing endorsement."
-- Seen on Slashdot
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
