On Mon, Feb 16, 2009 at 6:03 PM, Kanwar Ranbir Sandhu <m3freak at thesandhufamily.ca> wrote: > On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote: > >> Avoid NTLM all together and use Kerberos between apache/squid, Active >> Directory and the Windows and Linux clients. >> >> Firefox and IE both support Kerberos authentication. I believe apache/ >> squid do too, but you need a manually create the service principal >> names in AD for those. > > I was using NTLM at first, but then switched to Kerberos (on the CentOS > server side). The Windows users didn't see a difference. For them, SSO > works just as well as before, but I still get prompted to enter > user/password when I use my Fedora 10 desktop to browse to CentOS hosted > web sites. > > My Fedora desktop is joined to the domain. I can login with my AD > user/password. I even have caching working, which lets me sign on to my > laptop when it's not connected to the network. > > I suppose I've missed something, though I don't know what. In Firefox go to your about:config page and scroll down to: network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur. -Ross