[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-dev] Adding in spnego authentication support
|
ya, there are two properties you need to edit in firefox to enable
spnego and while IE is supposed to work out of the box there are a
lovely set of restrictions for it to kick in..below are the setup
instructions I have for this...see the NOTE under IE for one of the
big hurdles that doesn't seem obvious from the get go
jesse
Setting up your Browser:
Firefox:
* browse to about:config and agree to the warnings
* search through to find the 'network' settings
** set network.negotiate-auth.delegation-uris to http://,https://
** set network.negotiate-auth.trusted-uris to http://,https://
IE:
* Tools -> Options -> Security -> Local Intranet -> Sites
** make sure everything is checked here
* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced
** add url to server (http:// and/or https://) making sure to use the hostname
* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -> Close
* Tools -> Options -> Security -> Local Intranet -> Sites -> Ok
* Tools -> Options -> Advanced -> Security (in the checkbox list)
** locate and check 'Enable Integrated Windows Authentication'
* Tools -> Options -> Advanced -> Security -> Ok
* close IE then reopen and browse to your spengo protected resource
NOTE: you must go to the hostname and not the IP, if you go to the IP
it will default to NTLM authentication...the following conditions
apply to having spnego work
* Intranet Zone
* Accessing the server using a Hostname rather then IP
* Integrated Windows Authentication in IE is enabled, the host is
trusted in Firefox
* The Server is not local to the browser
* The client's Kerberos system is authenticated to a domain controller
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Thu, Aug 19, 2010 at 13:33, Chad La Joie <lajoie@xxxxxxxxx> wrote:
> We've had a few groups try to implement SPNEGO in Shib and have found
> similar issues with browser behavior. In particular a number of
> browsers that don't want to handle SPNEGO seem to just immediately
> prompt the user for BASIC auth without returning them back to the
> server first.
>
> On Thu, Aug 19, 2010 at 14:19, Jesse McConnell
> <jesse.mcconnell@xxxxxxxxx> wrote:
>> Just kerberos, and its a bit finicky in the setup as spnego has to be
>> configured correctly or else IE will fall back to just attaching an
>> ntlm token to the spengo authorization header instead of properly
>> using kerberos.
>>
>> since the jvm has been steadly picking up basic support for these
>> things more a fall back to ntlm is reasonable at some
>> point....technically the spnego spec forbids the ntlm token coming
>> back but microsoft doesn't generally care about such things and does
>> it anyway and expects people to roll with it. I have actually been
>> considering testing the token to see if its ntlm and warn the log or
>> something about it. there is a fair amount of discussion on that out
>> on various mailing lists, etc :)
>>
>> cheers,
>> jesse
>>
>> --
>> jesse mcconnell
>> jesse.mcconnell@xxxxxxxxx
>>
>>
>>
>> On Thu, Aug 19, 2010 at 13:10, Chad La Joie <lajoie@xxxxxxxxx> wrote:
>>> Hey Jesse, out of curiosity, what forms of credentials does the spnego
>>> module support? Only kerb or also things like NTLM?
>>>
>>> On Thu, Aug 19, 2010 at 13:58, Jesse McConnell
>>> <jesse.mcconnell@xxxxxxxxx> wrote:
>>>> I have a jetty-spnego module in the sandbox...the latest iteration as
>>>> no external dependencies so I am considering rolling it into
>>>> jetty-security now..
>>>>
>>>> any reasons not to? I am also passively working on additional ldap
>>>> support for getting roles from AD but its not something that is easily
>>>> generic between a standard ldap server and the Microsoft variant...
>>>>
>>>> cheers,
>>>> jesse
>>>>
>>>> --
>>>> jesse mcconnell
>>>> jesse.mcconnell@xxxxxxxxx
>>>> _______________________________________________
>>>> jetty-dev mailing list
>>>> jetty-dev@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Chad La Joie
>>> www.itumi.biz
>>> trusted identities, delivered
>>> _______________________________________________
>>> jetty-dev mailing list
>>> jetty-dev@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>>
>> _______________________________________________
>> jetty-dev mailing list
>> jetty-dev@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>
>
>
>
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>