[Freeipa-users] Kerberos authentication setup

Rob Crittenden rcritten at redhat.com
Fri Nov 11 21:56:58 UTC 2011 

Boris Epstein wrote:
> On Fri, Nov 11, 2011 at 4:18 PM, Dmitri Pal<dpal at redhat.com>  wrote:
>>
>> On 11/11/2011 03:52 PM, Boris Epstein wrote:
>>
>> Hello all,
>> I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the "Your kerberos ticket is no longer valid." message. So the question is: is there a good guide on how to set up the Kerberos components involved?
>>
>> Do you use browser from the same machine as you server or different?
>> Is it a Linux machine?
>> What is the browser you are using?
>>
>> The procedure is (on server):
>> 1) Install server
>> 2) kinit admin (or other user you want to use that you added)
>> 3) start browser
>> 4) follow the prompts reading carefully - accept certs and let the browser configuration script run
>> 5) Enjoy the UI
>>
>> On non server:
>> 1) Install client
>> 2) kinit admin (or other user you want to use that you added)
>> 3) start browser on that machine
>> 4) follow the prompts reading carefully - accept certs and let the browser configuration script run
>> 5) Enjoy the UI
>>
>> If you are trying to access it from a machine that is not a member of the domain you have to go to IPA and allow basic auth but we do not recommend it as it is insecure.
>>
>>
>>
>>
>> Thanks.
>> Boris.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Dmitry,
>
> We intend to have this on a secure network so how do I enable basic
> authentication?
>
> And thanks for all your help.
>

Basic auth defeats the benefits of single sign-on, I would not recommend 
it. If you are using Firefox then getting this set up is usually just a 
one-time bit of pain and then SSO goodness from then on. The beauty is 
you can extend it to all your other apps and get away from sending your 
passwords all over the place.

rob

More information about the Freeipa-users mailing list