particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-koji/www/docs/negotiate/index.html
Ken Dreyer 7e981c15a9 rm old references to Mozilla 
We don't need to reference Fedora 5 or Mozilla any more in our docs.
2019-03-22 13:05:00 -04:00

69 lines
3.2 KiB
HTML
Raw Permalink Blame History

<html>
<head>
<title>Configuring Firefox for Negotiate Authentication</title>
</head>
<body>
<h3>Configuring Firefox for Negotiate Authentication</h3>
<p>
Before Firefox can authenticate to a server using "Negotiate"
authentication, a couple of configuration changes must be made.
</p>
<p>
Type <strong>about:config</strong> into the location bar, to bring
up the configuration page. Type <strong>negotiate</strong> into the <em>Filter:</em> box, to restrict
the listing to the configuration options we're interested in.
<br/>
Change <strong>network.negotiate-auth.trusted-uris</strong> to the domain you want to authenticate against,
e.g. <code>.example.com</code>. You can leave <strong>network.negotiate-auth.delegation-uris</strong>
blank, as it enables Kerberos ticket passing, which is not required.
</p>
<p>
Now, make sure you have Kerberos tickets. Typing <em>kinit</em> in a shell should allow you to
retrieve Kerberos tickets. <em>klist</em> will show you what tickets you have.
<br/>
</p>
<p>
Now, if you visit a Kerberos-authenticated website in the .example.com domain, you should be logged in
automatically, without having to type in your password.
</p>
<p>
<h4>Troubleshooting</h4>
If you have followed the configuration steps and Negotiate authentication is not working, you can
turn on verbose logging of the authentication process, and potentially find the cause of the problem.
Exit Firefox. In a shell, type the following commands:
<pre>
export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/moz.log
</pre>
Then restart Firefox from that shell, and visit the website you were unable to authenticate
to earlier. Information will be logged to <em>/tmp/moz.log</em>, which may give a clue to the problem.
For example:
<pre>
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken()
-1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure
No credentials cache found
</pre>
means that you do not have Kerberos tickets, and need to run <em>kinit</em>.
<br/>
<br/>
If you are able to <em>kinit</em> successfully from your machine but you are unable to authenticate, and you see
something like this in your log:
<pre>
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken()
-1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure
Server not found in Kerberos database
</pre>
it generally indicates a Kerberos configuration problem. Make sure you have the following in the
<code>[domain_realm]</code> section of <em>/etc/krb5.conf</em>:
<pre>
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
</pre>
If nothing is showing up in the log it's possible that you're behind a proxy, and that proxy is stripping off
the HTTP headers required for Negotiate authentication. As a workaround, you can try to connect to the
server via <code>https</code> instead, which will allow the request to pass through unmodified. Then proceed to
debug using the log, as described above.
</p>
</body>
</html>
Reference in a new issue View git blame Copy permalink