Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Adding in spnego authentication support 
ya, there are two properties you need to edit in firefox to enable
spnego and while IE is supposed to work out of the box there are a
lovely set of restrictions for it to kick in..below are the setup
instructions I have for this...see the NOTE under IE for one of the
big hurdles that doesn't seem obvious from the get go

jesse


Setting up your Browser:

Firefox:

* browse to about:config and agree to the warnings
* search through to find the 'network' settings
** set network.negotiate-auth.delegation-uris to http://,https://
** set network.negotiate-auth.trusted-uris to http://,https://

IE:

* Tools -> Options -> Security -> Local Intranet -> Sites
** make sure everything is checked here
* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced
** add url to server (http:// and/or https://) making sure to use the hostname
* Tools -> Options -> Security -> Local Intranet -> Sites -> Advanced -> Close
* Tools -> Options -> Security -> Local Intranet -> Sites -> Ok
* Tools -> Options -> Advanced -> Security (in the checkbox list)
** locate and check 'Enable Integrated Windows Authentication'
* Tools -> Options -> Advanced -> Security -> Ok
* close IE then reopen and browse to your spengo protected resource

NOTE: you must go to the hostname and not the IP, if you go to the IP
it will default to NTLM authentication...the following conditions
apply to having spnego work

* Intranet Zone
* Accessing the server using a Hostname rather then IP
* Integrated Windows Authentication in IE is enabled, the host is
trusted in Firefox
* The Server is not local to the browser
* The client's Kerberos system is authenticated to a domain controller



--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx



On Thu, Aug 19, 2010 at 13:33, Chad La Joie <lajoie@xxxxxxxxx> wrote:
> We've had a few groups try to implement SPNEGO in Shib and have found
> similar issues with browser behavior.  In particular a number of
> browsers that don't want to handle SPNEGO seem to just immediately
> prompt the user for BASIC auth without returning them back to the
> server first.
>
> On Thu, Aug 19, 2010 at 14:19, Jesse McConnell
> <jesse.mcconnell@xxxxxxxxx> wrote:
>> Just kerberos, and its a bit finicky in the setup as spnego has to be
>> configured correctly or else IE will fall back to just attaching an
>> ntlm token to the spengo authorization header instead of properly
>> using kerberos.
>>
>> since the jvm has been steadly picking up basic support for these
>> things more a fall back to ntlm is reasonable at some
>> point....technically the spnego spec forbids the ntlm token coming
>> back but microsoft doesn't generally care about such things and does
>> it anyway and expects people to roll with it.  I have actually been
>> considering testing the token to see if its ntlm and warn the log or
>> something about it.  there is a fair amount of discussion on that out
>> on various mailing lists, etc :)
>>
>> cheers,
>> jesse
>>
>> --
>> jesse mcconnell
>> jesse.mcconnell@xxxxxxxxx
>>
>>
>>
>> On Thu, Aug 19, 2010 at 13:10, Chad La Joie <lajoie@xxxxxxxxx> wrote:
>>> Hey Jesse, out of curiosity, what forms of credentials does the spnego
>>> module support?  Only kerb or also things like NTLM?
>>>
>>> On Thu, Aug 19, 2010 at 13:58, Jesse McConnell
>>> <jesse.mcconnell@xxxxxxxxx> wrote:
>>>> I have a jetty-spnego module in the sandbox...the latest iteration as
>>>> no external dependencies so I am considering rolling it into
>>>> jetty-security now..
>>>>
>>>> any reasons not to?  I am also passively working on additional ldap
>>>> support for getting roles from AD but its not something that is easily
>>>> generic between a standard ldap server and the Microsoft variant...
>>>>
>>>> cheers,
>>>> jesse
>>>>
>>>> --
>>>> jesse mcconnell
>>>> jesse.mcconnell@xxxxxxxxx
>>>> _______________________________________________
>>>> jetty-dev mailing list
>>>> jetty-dev@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Chad La Joie
>>> www.itumi.biz
>>> trusted identities, delivered
>>> _______________________________________________
>>> jetty-dev mailing list
>>> jetty-dev@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>>
>> _______________________________________________
>> jetty-dev mailing list
>> jetty-dev@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>
>
>
>
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>

Back to the top