On Tue, Feb 17, 2009 at 2:18 PM, Kanwar Ranbir Sandhu <m3freak at thesandhufamily.ca> wrote: > On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote: >> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote: >> > In Firefox go to your about:config page and scroll down to: >> > >> > network.negotiate-auth.delegation-uris >> > >> > and >> > >> > network.negotiate-auth.trusted-uris >> > >> > and for their string values enter your DNS domain to allow kerberos >> > negotiation and delegation to occur. >> >> HA! I had these set already, but I still get prompted. So, today I >> decided I should delete the saved passwords for the apache hosted site I >> was trying to access, and viola, SSO worked! I can't believe I didn't >> remove the saved passwords before. > > I should have mentioned that I only set > "network.negotiate-auth.trusted-uris". I left the other one blank. > Setting it or not didn't seem to make a difference. But, based on this: > > https://developer.mozilla.org/en/Integrated_Authentication > > The apache server should have been able to handle the authentication. > Maybe I'm misunderstanding what "delegation" does. Delegation will allow a system or service to authenticate you to another system or service on your behalf. For example, say your apache server has a mysql database backend for an application that requires each user to authenticate individually, well without delegation the users would need to use another form of authentication such as HTTP basic authentication which would then pass it off to the mysql. Even if done over SSL this can open your application up to a man-in-the-middle attack. Kerberos delegation was designed to defeat the man-in-the-middle scenario through signing of the ticket request along the line and back. -Ross