On Sun, 10 Mar 2019, Alex Corcoles via FreeIPA-users wrote:
Massive thread necromancy but...
On Sun, 2018-11-25 at 12:21 +0100, Alex Corcoles wrote:
> 2) SSO
>
> What is the special sauce for users using a browser on an IPA-joined
> system to log in to apps without even seeing a login form? SPNEGO?
>
> I'm using mod_auth_gssapi for some apps, having httpd do the
> authentication and forward it through REMOTE_USER, but it doesn't do
> the magic. There are some hints on mod_auth_gssapi's docs, but
> nothing
> really clear.
Playing around with my Ipsilon install I found the problem of my setup.
I was doing:
ipa service-add nagios/my.host
but I needed to use:
ipa service-add HTTP/my.host
apparently if you don't name it HTTP, the keytab works but doesn't do
SSO.
Yes, the naming of Kerberos principals is more or less historical. All
browsers only request service tickets to HTTP/<hostname> principal. If
you expect browsers to utilize GSSAPI, your target Kerberos service
principal must be HTTP/.. according to
https://tools.ietf.org/html/rfc4559 section 4.1.
If you are using custom protocol, it is up to client and server to
establish a common agreement how the principal name should be
constructed.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland