Got it. Thxs. Le 09/11/2015 23:39, Rick van Rein a écrit : > Hi Pascal, > >> I was able to have it to work (with firefox) when calling simple URI >> such as http://host.domain.tld but not when calling >> http://host.domain.tld/test_dir. > That surprises me. I've been putting host.fqdn.names and .domain.names > into the network.negotiate-auth.trusted-uris field in about:config and > not full URIs as the field name suggests, so I wonder how the path could > be of influence. > >> I did change the negotiate URI field in firefox configuration, > You were trying to setup the path in the trusted-uris field? That is > not the idea, I think. > > The use of trusted-uris is to setup hosts that may receive the Kerberos > tickets, and the path underneath is hardly considered a distribution > across operational boundaries, so it has no real impact on trust. > > If your intention is to only pickup the ticket for certain paths, then > you should leave the trusted-uris set to the entire webhost, and setup > the server to only request SPNEGO authentication for the paths that it > considers protected resources. > >> but did >> not touch the service keytab (HTTP/<host>). My guess is that the problem >> is there... >> > You cannot change the service keytab for paths; it only mentions the > service name and the server hostname. > >> Does this mean that in reality SPNEGO is limited to vrtual hosts ? >> > Not sure what you're asking. SPNEGO trusted-uris on FireFox are setup > for hostnames AFAIK, and within a server you get to choose when to > trigger SPNEGO by demanding authentication. > >> If someone could clarify, this would be more than useful... >> > I hope this helps. > > > Cheers, > -Rick >
-- Pascal Jakobi <mailto:pjak...@yahoo.fr> 116 rue de Stalingrad 93100 Montreuil, France Tel : +33 6 87 47 58 19 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
