Reply
Occasional Advisor
vincent_vega
Posts: 8
Registered: ‎07-13-2012
Accepted Solution

Firefox SSO not working..

Hello all,

 

I'm currently in an internship and I have to study Linux Integration into an AD Domain, with SSO.

I used Likewise first, but it was too buggy :/

 

I tried Centrify, and that's much better ! (thx for the awesome work, by the way)

 

But I'm not able to do SSO. I installed Centrify DirectControl Express and Centrify-Enabled Kerberos module, and the AD connection is smooth. I have a ticket at each login, HTTP SPN is set up and Centrify detected the two Domain Controllers automatically, and the encryption too.

 

Looks like the client is clean.

 

I configured Firefox to do some SSO looking at tutorials, and the server keep asking me manual login (I think the server is well configured, but I can't be sure, i'm only an intern :>).

 

I configured Firefox to do some logging, but the log is empty after trying to authenticate. I looked at the network traffic with Wireshark, and looks like Kerberos ticket is sent to the server.. So, I don't understand at all what is my problem..

 

Any ideas, help ?

 

Thanks in advance, and sorry for my bad English (I'm French).

 

Some useful data :

 

/etc/krb5.conf (manually configured, i deactivated centrify auto refresh of the file, thanks to some solutions you provided to customers on this forum)

 

 

[libdefaults]
 default_realm = INTRANET-BOURGES.FR
 default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 dns_lookup_realm = true
 dns_lookup_kdc = true
 passwd_check_s_address = false
udp_preference_limit = 1
 ccache_type = 3
 kdc_timesync = 0
 allow_weak_crypto = true
[domain_realm]
 .client-02 = INTRANET-BOURGES.FR
 .intranet-bourges.fr = INTRANET-BOURGES.FR
 client-02 = INTRANET-BOURGES.FR
 client-02.intranet-bourges.fr = INTRANET-BOURGES.FR
 intranet-bourges.fr = INTRANET-BOURGES.FR
 s-dc1.intranet-bourges.fr = INTRANET-BOURGES.FR
 s-dc3.intranet-bourges.fr = INTRANET-BOURGES.FR
[realms]
INTRANET-BOURGES.FR = {
 kdc = s-dc1.intranet-bourges.fr:88
 master_kdc = s-dc1.intranet-bourges.fr:88
 kpasswd = s-dc1.intranet-bourges.fr:464
 kpasswd_server = s-dc1.intranet-bourges.fr:464
 kdc = s-dc3.intranet-bourges.fr:88
 master_kdc = s-dc3.intranet-bourges.fr:88
 kpasswd = s-dc3.intranet-bourges.fr:464
 kpasswd_server = s-dc3.intranet-bourges.fr:464
}

Here is the output of the klist command :

 

Ticket cache: FILE:/tmp/krb5cc_cdc1350591366_2A9SES
Default principal: vincent.vieira@INTRANET-BOURGES.FR

Valid starting     Expires            Service principal
07/13/12 16:43:00  07/14/12 02:41:29  krbtgt/INTRANET-BOURGES.FR@INTRANET-BOURGES.FR
	renew until 07/20/12 16:43:00

 Here is the output of the klist -kt command

 

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   4 07/13/12 15:03:21 nfs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 nfs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 http/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 host/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 ftp/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 ftp/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 ftp/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 ftp/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 ftp/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:21 ftp/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 ftp/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 ftp/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 ftp/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 ftp/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 cifs/client-02@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 client-02$@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 client-02$@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 client-02$@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 client-02$@INTRANET-BOURGES.FR
   4 07/13/12 15:03:22 client-02$@INTRANET-BOURGES.FR

 

And here is the Firefox configuration :

 

network.negotiate-auth.delegation-uris=http://s-intranet2,https://s-exchange2/mail,https://exchange10/owa

network.negotiate-auth.gsslib=/opt/centrify/DirectControl-4.4.3/kerberos/lib/libgssapi_krb5.so.2.2

network.negotiate-auth.trusted-uris=http://s-intranet2,https://s-exchange2/mail,https://exchange10/owa

network.negotiate-auth.using-native-gsslib=false

 

I can provide you the Wireshark dumps if you want, just ask me. :)

Please use plain text.
Centrify
Fabrice
Posts: 58
Registered: ‎07-13-2012

Re: Firefox SSO not working..

[ Edited ]

Hi Vincent,

 

According to the details you gave, you seems to have a valid Kerberos ticket and correctly configured Firefox client. However the problem is often on the server side when SSO doesn't work. In most case the server doesn't send the http 401 stimulation and so Firefox doesn't answer with the Kerberos ticket and instead you fallback in classic form authentication.

As I am also french, you could contact be my mail to try to figure what happen.

 

Fabrice

-----------------------------------------------------------------------------------------------------
Don't forget to mark posts as "Solution" to help other identify quickly the answers. And don't be afraid to deliver Kudos as well when you are happy with the solution ;)
Please use plain text.
Occasional Advisor
vincent_vega
Posts: 8
Registered: ‎07-13-2012

Re: Firefox SSO not working..

I just sent you a private message. But there's a little bug I think, you have the same nickname as another, so i must reply to both to get my message sent..

 

I think we should find another way to communicate.

 

Anyway, thanks for your interest !

 

But my problem is still here.. So if anyone has a solution, some tips.. I'm taking them !

Please use plain text.
Occasional Advisor
vincent_vega
Posts: 8
Registered: ‎07-13-2012

Re: Firefox SSO not working..

Sorry for the double post, but I provide here some additional data about the http 401 stimulation. I looked at the http headers, and all seems normal, I don't understand why I keep falling in basic authentication :

http://s-intranet2/

GET / HTTP/1.1
Host: s-intranet2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 401 Authorization Required
Date: Mon, 16 Jul 2012 15:14:35 GMT
Server: Apache
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Veuillez vous identifier"
Content-Length: 401
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------
http://s-intranet2/

GET / HTTP/1.1
Host: s-intranet2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Negotiate YIIGFQYGKwYBBQUCoIIGCTCCBgWgCjAIBgYrBgEFAgWiggX1BIIF8WCCBe0GBisGAQUCBQUBMBehFQQTSU5UUkFORVQtQk9VUkdFUy5GUmyCBcYwggXCoQMCAQWiAwIBDKOCBTQwggUwMIIFLKEDAgEBooIFIwSCBR9uggUbMIIFF6ADAgEFoQMCAQ6iBwMFAAAAAACjggREYYIEQDCCBDygAwIBBaEVGxNJTlRSQU5FVC1CT1VSR0VTLkZSoigwJqADAgEAoR8wHRsGa3JidGd0GxNJTlRSQU5FVC1CT1VSR0VTLkZSo4ID8jCCA+6gAwIBF6EFAgMBhqKiggPeBIID2gaib39cj5WLiydVHTbvnB+N1W92B7Qikx2sh3RfoqmPvT/oFizCBfvbJpeH4eYxt8QddADARsFaGxBZL7ondngyXtpVGne3iecaL3mqliCA0h0/0mx5ywQmbOxGiOv+SIqchflwyePoTUwRvVnqVBh6pOUWOWtdoWzQdt1oTk8OEppfBt+U6gVVFfFZHIuRPlQq+9UDSXg9i6bvk5rok09+SWHCWEmykHAwZAa+LNSzkjziOjGMghwYIhEj+XxuvWxzXrB73fHNq0Nn36xVpkZI1PxNR7/1YApj+GxdYGJTQ4t/2hWypCQ1d0znYRcLG1/PZZsggfMLKTrI6aIhTLRr7lqp2ZNYShmPdwLEtrXt6dk9Cf2xZ1YYaGCRi1seWp1gqFeEV/V2Pw/IzwEMmBNw69F4O3uHPGkGGfHII1VKrg86w0opFtBJtk+epH2IgjINNlWQjeBP/XuhtNhiP6ZGbuUD58OfCDYnNGpW9hpWK8BjE2dxT39bH8HuKO3PY8Kb8MZQF4uKSSRz+OHFJevJwUEJ8ppZyBjDbqcSoVnx2PXIlMxyNpEQhBBVkLNEamITePMVfZUp8uytwr1yIZPUz2AE8+eGlzQvowEOQTyYpjmI7gfsRrS+Tve4xXWfkBp0xOW0QCJd6gcDOD++p1iLXpTlwKBhqAzlKsPQqzKLZ5ypXMt/+vDicwPOtDi5icteCIA7X2sVxce0raRV2p8aBeK8LXN2ZDROtPiZPgq8DeKdoZ+PCdNWwBYqFKZRzZpd2Z9k5gPPVVLQ1+tyOZ/0bGK6qZtHqmGB7q5hWZvMo5xhHJlPKKeghKR9WHSOjMgi4ok1LLMawNnfbbgN14pZFrbhafdroEoEUec2mZjZSDe2ZfWgsVnE5b2SKX/X55ipMORv/pgkbtS+z1iylekJOHWP6wF9XCZ/55FvsxNE50yo13wun3AQKmVkf4a3Re6WV4IWRu9FSg1Rmd0mAXcbOc0/9reWA42j/8MeTiPuJCvvyP0rvqUQv9bLyS0tVsRHYEK9kkta9iqQRxZh9JUl6FN17RGO8AAdCHjoU8PkOzbci5fU7L5MDf3WmrsyNMjC1hkrQ/ZN47Uf82V11+wr+AWTGg4ddGQAI5YupyaL6MszA+5LnfxbcAE8RNRw/K0likA3x4ksJqlFERyRpwX9AcNXxtF1fLeHu+xoj+GdpJ+jffcdAdTo0OwI90stnrly/Yol/flqvDxRjLmW4y2yMI0lKdNYh78yOtMt05hRq807u9r5H4ogQYXzrlfcH28bo6IJw1d2EuLP1DVXytDIAWM+Alk4DQvlpIG5MIG2oAMCAReiga4EgaujYghu9f2l4ZlCR42mNFJCFIgpAXrvsAUdMNs/wgfk0pI5ibfO+qn9PO18DaLioz645F1doyfpdNENlx8N1rOnoXQng8jhOSpMIxpX7k6rdTvOSfPBT18krXjH/SrWwPOgzxoJPKZ9ZtbVKTEvHcBFSCVBmklgJCxrfNyI7tQ89WGNi6lpLpwVqiiZjZ3wTtXOaPg+92TCcwVbzDRybL36oIXNZtweZ9Q4ma2kfjB8oAcDBQAAgQAAohUbE0lOVFJBTkVULUJPVVJHRVMuRlKjLDAqoAMCAQOhIzAhGwRIVFRQGxlpbnRyYW5ldC52aWxsZS1ib3VyZ2VzLmZypREYDzIwMTIwNzE3MDExODAzWqcGAgRQBDEaqBEwDwIBEgIBEQIBFwIBAwIBAQ==

HTTP/1.1 401 Authorization Required
Date: Mon, 16 Jul 2012 15:14:35 GMT
Server: Apache
WWW-Authenticate: Basic realm="Veuillez vous identifier"
Content-Length: 401
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------

 

Please use plain text.
Centrify
Centrify
Fel
Posts: 613
Registered: ‎07-06-2010

Re: Firefox SSO not working..

What are you using on the Web server side to achieve SSO?  What is the web server platform you're using and how are you trying to get SSO?  Obviously you're trying to get Kerberos to work, but it would be helpful to know how you're configuring the backend.

 

Did the network trace show any errors?

 

Please note that we have great for solutions for SSO access to applications running on Apache, JBoss, Tomcat, Weblogic and Websphere that will gurantee you will get SSO access and will work much more reliably than moth_auth_kerb type solutions while giving you NTLM, Basic authentication and group membership based authorization.  You can find more information here.

 

Felderi Santiago
Senior Systems Engineer
Centrify Corporation

Found my response helpful? Click the Kudos button!
Please use plain text.
Occasional Advisor
vincent_vega
Posts: 8
Registered: ‎07-13-2012

Re: Firefox SSO not working..

[ Edited ]

Hello,

 

I'm using (or more precisely, the company i'm working for) Apache, with the mod_auth_kerb plugin.

I took a look at the backend, and it seems to have a problem with the configuration.

 

Krb5ServiceName seems to be misconfigured and this is maybe why my keytab is rejected.

The configured SPN is :

Krb5ServiceName = HTTP/s-intranet2.intranet-bourges.fr@INTRANET-BOURGES.FR

 

 And when i'm looking at my keytab, the SPN is :

 

HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR

 

I will do some tests tomorrow and I'll keep this post updated.

 

Thanks for the link, but as I'm only an intern, the company don't want to put some money in this for the moment (because the Linux integration is only a project, and because all pc's are with Windows; mot_auth_kerb works well with Windows authentication).

 

The network trace shows that the Linux client see that the server can use Neogication, sends the kerberos token to the server, and then the server re-sends an HTTP 401 GET, with only basic authentication (which means that the token is rejected).

Please use plain text.
Centrify
Centrify
Fel
Posts: 613
Registered: ‎07-06-2010

Re: Firefox SSO not working..

If I were you as part of your write-up I would advice your management that mod_auth_kerb doesn't provide:

 

1) Fallback to NTLM or Basic authentication in case of Kerberos failures like the one you're experiencing.

2) Centralized Authorization capabilities based on AD group membership

3) The ability to bring back to the application all AD user attributes

4) No support

 

If they would like an Enterprise solution, mod_auth_kerb won't provide them that.

 

With that said, your issue is likely due to the fact that you haven't registered the URL as an SPN for the computer account.

 

The easiest way to do this is to leave the machine from the domain by running the adleave command:

/usr/sbin/adleave -u <adusername> -r

 

The run the adjoin command like you did before except that this time you want to add the -a option and enter all of the URLs associated with this web server like so:

 

/usr/sbin/adjoin -w -u <adusername> -c <OU> -a url1.company.com -a url2.company.com <addomain>

 

After you joined the system to AD, the output of the following command will display all of the SPNs associated with the computer account.

 

adinfo -C

 

Then on the client side be sure to lock your screen and to unlock it.  This will flush your Kerberos cache and force IE to get a new TGS for the web server.

 

If you're still having issues, run a network trace.

 

Another thing to be aware of is encryption type mismatch.  Centrify uses the strongest algorithm type the AD environment we're joining supports (ie. aes 256 for Windows 2008 environment).  Mod_auth_kerb may only support weaker encryption types.

 

Good luck.

 

 

Felderi Santiago
Senior Systems Engineer
Centrify Corporation

Found my response helpful? Click the Kudos button!
Please use plain text.
Occasional Advisor
vincent_vega
Posts: 8
Registered: ‎07-13-2012

Re: Firefox SSO not working..

[ Edited ]

mod_auth_kerb allow basic fallback authentication with the right config, that's what I'm experiencing.

 

By the way, I tested your tips and it didn't work at all, I can't join the domain.

I issue this command :

/usr/sbin/adjoin -u <username> -w -a s-intranet2.intranet-bourges.fr -a s-dev.intranet-bourges.fr -a s-exchange2.intranet-bourges.fr INTRANET-BOURGES.FR

 And then I get this error message :

Using writable domain controller: s-dc1.intranet-bourges.fr
Error: One or more of the following SPNs already associated with other account in the forest: 
HTTP/client-02
HTTP/client-02.intranet-bourges.fr
HTTP/s-dev.intranet-bourges.fr
HTTP/s-exchange2.intranet-bourges.fr
HTTP/s-intranet2.intranet-bourges.fr
host/client-02
host/client-02.intranet-bourges.fr
host/s-dev.intranet-bourges.fr
host/s-exchange2.intranet-bourges.fr
host/s-intranet2.intranet-bourges.fr
Accounts that contain same SPNs are: 
CN=httpd-sdev,OU=ADM,DC=intranet-bourges,DC=fr
CN=httpd-intranet,OU=ADM,DC=
Each SPN must be unique across the forest. Please make sure the SPNs listed above are unique across the forest before joining.

Join to domain 'INTRANET-BOURGES.FR', zone 'Auto Zone' failed.

 When I'm doing the command withtout any -a arguments, I join the AD Domain without any problems. But I can't do SSO, because of the lack of the right SPN in the keytab.

 

As far as I know, there is on the AD two user accounts made for HTTP SPN for each website i'm trying to do SSO for. They are mandatory to perform SSO on Windows.

 

Is there any way to bypass this limitation, or a way to edit the keytab to get right SPNs configured ?

Please use plain text.
Centrify
Centrify
Fel
Posts: 613
Registered: ‎07-06-2010

Re: Firefox SSO not working..

Yes. You can try to get mod_auth_kerb to fallback to Basic but my past research uncovered many people had issues trying to get it to work.

 

Even if you get it to work reliably you won't have support for the solution, AD group authorization capabilities,etc. 

 

Its an option to present to your management if they want an Enterprise solution.  It will also come across like you've done research, etc. 

 

The reason the suggestion didn't work is because Kerberos principals have to be unique in Kerberos realm and since the SPN you're trying to associate with a new computer account is already associated with another computer/user account, the join fails.

 

If you have two user accounts with the right SPNs already registered, you need use those user accounts to obtain the TGS and then use keytabs for those user accounts to validate the TGS on the server side.  This would also explain why you're getting a failure with SSO.

 

There is a way to get what you're trying to do to work.

 

1) Create a keytab for each user account and tell mod_auth_kerb to use the appropriate keytab.  You can use the Centrify provided adkeytab utility to do this.  Man adkeytab for more details.  Mod_auth_kerb has a Krb5Keytab directive you can use to specify which keytab to use.

 

2) Create a keytab for each user account (Man adkeytab for more details) and merge the keytab(s) witht the machine keytab.  The ktutil command will help you merge the keytabs.  Man ktutil or search the Web for details.

 

In summary principals and SPNs must be unique in AD.  If you already have user accounts with the SPNs created for the URLs that will be used, you need to create keytabs based on those user accounts.  Mod_auth_kerb will have to use a keytab that contains the SPNs and secret key of the principals the SPNs are associated with to properly verify the TGS being forwarded by the browser.

 

Good luck.

 

Felderi Santiago
Senior Systems Engineer
Centrify Corporation

Found my response helpful? Click the Kudos button!
Please use plain text.
Occasional Advisor
vincent_vega
Posts: 8
Registered: ‎07-13-2012

Re: Firefox SSO not working..

[ Edited ]

Okay, thanks for the tips.

 

I just tried with one of the websites.

 

When browsing the keytab, here is the output :

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 07/17/12 17:01:16 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 host/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 host/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 host/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 HTTP/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 HTTP/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 HTTP/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 client-02$@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 client-02$@INTRANET-BOURGES.FR
   3 07/17/12 17:01:16 client-02$@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 host/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 host/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 host/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 host/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/client-02.intranet-bourges.fr@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/client-02@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 client-02$@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 client-02$@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 client-02$@INTRANET-BOURGES.FR
   3 07/17/12 17:14:05 HTTP/s-dev.intranet-bourges.fr@INTRANET-BOURGES.FR

 We can see that the last  SPN is configured. I configured Firefox too, with the same config as in my first post here. (replacing the trust uri and delegation uri with http://s-dev.intranet-bourges.fr ).

 

And it works ! I don't have to login to grant access to the website.

Something weird, I have also access to the s-intranet2 website, without the entry in the keytab.

 

But I still don't have access to s-exchange2 server, the mail server. I'll configure this tomorrow with the appropriate keytab.

 

If I'm experiencing any problems, I'll post here, but most of the work is done now..

 

Thanks for your help and your patience Fel, I appreciate a lot when a company helps users (even free-users) one by one.

Please use plain text.