On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:

Yes, the naming of Kerberos principals is more or less historical. All
browsers only request service tickets to HTTP/<hostname> principal. If
you expect browsers to utilize GSSAPI, your target Kerberos service
principal must be HTTP/..  according to
https://tools.ietf.org/html/rfc4559 section 4.1.
Ah, thanks Alexander, that is actually very useful, as now I would like to get the negotiation working across a reverse proxy (which I think is not possible in the way I'd like to- I took it to https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not sure that's the best place).

BTW, I think this tidbit is not mentioned in the howtos in the wiki. I think the wiki is not publicly editable, right? Could someone make a visible note about that (the link to the RFC is quite interesting)?


  ( Y )
 ()~*~()  mail: alex at corcoles dot net