[Freeipa-users] IPA, kerberos ticket issue for web admin.
Rob Crittenden
rcritten at redhat.com
Mon Apr 23 15:58:23 UTC 2012
Nathan Lager wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 04/20/2012 02:26 PM, Rob Crittenden wrote:
>> Have you configured the browser for Kerberos?
>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html
>>
>>
>>
>> That error seems to indicate that the domain isn't defined in
>> network.negotiate-auth.trusted-uris
>>
>> regards
>>
>> rob
>
> I've been through the clicky-clicky that ipa's web gui sends you
> through (accepting the certs, and configuring the browser), a number
> of times. I just confirmed the trusted uri's and delegation uris.
> They are both correct, they look like: .my.ipa.domain.com
>
> I even tried resetting delegation-uris, and trusted-uri's to the
> default, and then allowing the ipa web gui to re-configure them, it
> hasnt helped.
>
> Thanks for the response. Sorry for the delay in mine.
Hmm, that is very strange. The code in question in Firefox looks like:
bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs);
if (!allowed) {
LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
return NS_ERROR_ABORT;
}
which seems to be the error you are seeing. It's a shame there isn't
more logging around the uris.
I see that you had enabled debug logging on the Apache side. Can you
provide some more context on the failed request?
thanks
rob
More information about the Freeipa-users
mailing list