Hi Pascal, > I was able to have it to work (with firefox) when calling simple URI > such as http://host.domain.tld but not when calling > http://host.domain.tld/test_dir.
That surprises me. I've been putting host.fqdn.names and .domain.names into the network.negotiate-auth.trusted-uris field in about:config and not full URIs as the field name suggests, so I wonder how the path could be of influence. > I did change the negotiate URI field in firefox configuration, You were trying to setup the path in the trusted-uris field? That is not the idea, I think. The use of trusted-uris is to setup hosts that may receive the Kerberos tickets, and the path underneath is hardly considered a distribution across operational boundaries, so it has no real impact on trust. If your intention is to only pickup the ticket for certain paths, then you should leave the trusted-uris set to the entire webhost, and setup the server to only request SPNEGO authentication for the paths that it considers protected resources. > but did > not touch the service keytab (HTTP/<host>). My guess is that the problem > is there... > You cannot change the service keytab for paths; it only mentions the service name and the server hostname. > Does this mean that in reality SPNEGO is limited to vrtual hosts ? > Not sure what you're asking. SPNEGO trusted-uris on FireFox are setup for hostnames AFAIK, and within a server you get to choose when to trigger SPNEGO by demanding authentication. > If someone could clarify, this would be more than useful... > I hope this helps. Cheers, -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
