Chapter 6. Configuring Applications for Single Sign-On
6.1. Configuring Firefox to Use Kerberos for Single Sign-On
- In the address bar of Firefox, type
about:configto display the list of current configuration options.
- In the Filter field, type
negotiateto restrict the list of options.
- Double-click the network.negotiate-auth.trusted-uris entry.
- Enter the name of the domain against which to authenticate.
- Next, configure the network.negotiate-auth.delegation-uris entry, using the same domain as for network.negotiate-auth.trusted-uris.
kinitcommand and supply the user password for the user on the KDC.
[jsmith@host ~] $ kinit Password for jsmith@EXAMPLE.COM:
- Close all instances of Firefox.
- In a command prompt, export values for the
export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log
- Restart Firefox from that shell, and visit the website where Kerberos authentication is failing.
- Check the
/tmp/moz.logfile for error messages with nsNegotiateAuth in the message.
- The first error says that no credentials have been found.
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache foundThis means that there are no Kerberos tickets (meaning that they expired or were not generated). To fix this, run
kinitto generate the Kerberos ticket and then open the website again.
- The second potential error is if the browser is unable to contact the KDC, with the message Server not found in Kerberos database.
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos databaseThis is usually a Kerberos configuration problem. The correct entries must be in the
[domain_realm]section of the
/etc/krb5.conffile to identify the domain. For example:
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM
- If there are no errors in the log, then the problem could be that an HTTP proxy server is stripping off the HTTP headers required for Kerberos authentication. Try to connect to the site using HTTPS, which allows the request to pass through unmodified.