Well, looking at it I think it's already well documented at:


So maybe it doesn't need any change, although a link to the RFC and being more explicit about the HTTP/ thing would be better, I guess... but now I feel that the documentation is OK and I was just dumb :-p

On Mon, Mar 11, 2019 at 11:22 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:
>On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy <abokovoy@redhat.com>
>> Yes, the naming of Kerberos principals is more or less historical. All
>> browsers only request service tickets to HTTP/<hostname> principal. If
>> you expect browsers to utilize GSSAPI, your target Kerberos service
>> principal must be HTTP/..  according to
>> https://tools.ietf.org/html/rfc4559 section 4.1.
>Ah, thanks Alexander, that is actually very useful, as now I would like to
>get the negotiation working across a reverse proxy (which I think is not
>possible in the way I'd like to- I took it to
>https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not
>sure that's the best place).
>BTW, I think this tidbit is not mentioned in the howtos in the wiki. I
>think the wiki is not publicly editable, right? Could someone make a
>visible note about that (the link to the RFC is quite interesting)?
Can you point me to a page where you want it added?

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

  ( Y )
 ()~*~()  mail: alex at corcoles dot net