[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]

Tue Feb 17 21:19:42 UTC 2009
Ross Walker <rswwalker at gmail.com>

On Tue, Feb 17, 2009 at 2:18 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote:
>> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
>> > In Firefox go to your about:config page and scroll down to:
>> >
>> > network.negotiate-auth.delegation-uris
>> >
>> > and
>> >
>> > network.negotiate-auth.trusted-uris
>> >
>> > and for their string values enter your DNS domain to allow kerberos
>> > negotiation and delegation to occur.
>>
>> HA! I had these set already, but I still get prompted.  So, today I
>> decided I should delete the saved passwords for the apache hosted site I
>> was trying to access, and viola, SSO worked!  I can't believe I didn't
>> remove the saved passwords before.
>
> I should have mentioned that I only set
> "network.negotiate-auth.trusted-uris".  I left the other one blank.
> Setting it or not didn't seem to make a difference. But, based on this:
>
> https://developer.mozilla.org/en/Integrated_Authentication
>
> The apache server should have been able to handle the authentication.
> Maybe I'm misunderstanding what "delegation" does.

Delegation will allow a system or service to authenticate you to
another system or service on your behalf.

For example, say your apache server has a mysql database backend for
an application that requires each user to authenticate individually,
well without delegation the users would need to use another form of
authentication such as HTTP basic authentication which would then pass
it off to the mysql. Even if done over SSL this can open your
application up to a man-in-the-middle attack. Kerberos delegation was
designed to defeat the man-in-the-middle scenario through signing of
the ticket request along the line and back.

-Ross