<div dir="ltr"><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 3, 2016 at 8:52 AM,  <span dir="ltr">&lt;<a target="_blank" href="mailto:aleksey.maksimov@it-kb.ru">aleksey.maksimov@it-kb.ru</a>&gt;</span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><div> &gt; network.negotiate-auth.<wbr>delegation-uris = .<a target="_blank" href="http://ad.holding.com/"><font color="#0000ee">ad.holding.com</font></a><br> &gt; network.negotiate-auth.<wbr>trusted-uris = .<a target="_blank" href="http://ad.holding.com/"><font color="#0000ee">ad.holding.com</font></a></div><div> </div><div>Yes. Configured</div><div> </div><div>The URL <a target="_blank" href="https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api"><font color="#0000ee">https://kom-ad01-ovirt1.ad.<wbr>holding.com/ovirt-engine/api</font></a> <wbr>in IE and Firefox opens without problems and without password prompts</div><div> </div><div>But when opening links from start page...</div><div> </div><div><a target="_blank" href="https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/userportal/?locale=en_US">https://kom-ad01-ovirt1.ad.<wbr>holding.com/ovirt-engine/<wbr>userportal/?locale=en_US</a><br><a target="_blank" href="https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US">https://kom-ad01-ovirt1.ad.<wbr>holding.com/ovirt-engine/<wbr>webadmin/?locale=en_US</a></div><div> </div><div>...opens a oVirt form prompting for credentials with a single profile &quot;internal&quot;</div></blockquote><div><br><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">​Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it&#39;s in /etc/ovirt-engine/aaa/ovirt-sso.conf<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Thanks<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Martin Perina<br>​</div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><div> </div><div> </div><div>03.10.2016, 09:37, &quot;Martin Perina&quot; &lt;<a target="_blank" href="mailto:mperina@redhat.com">mperina@redhat.com</a>&gt;:</div><blockquote type="cite"><div><div style="font-family:arial,helvetica,sans-serif"> </div><div> <div>On Mon, Oct 3, 2016 at 8:18 AM, <span>&lt;<a target="_blank" href="mailto:aleksey.maksimov@it-kb.ru">aleksey.maksimov@it-kb.ru</a>&gt;</span> wrote:<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)"><div> </div><div>Hello, Martin</div><div> </div><div>Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer &amp; Forefox.</div><div>Kerberos authentication NOT working with oVirt Web-Portals.</div><div> </div><div>I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos.<br>It is impossible ??</div></blockquote><div> <div style="font-family:arial,helvetica,sans-serif;display:inline">​It&#39;s possible and it&#39;s working fine when everything is properly set up. But please bear in mind kerberos SSO is one of the most complicated oVirt setup, but usually the error is on kerberos side (environment issues on the client).<br> </div><div style="font-family:arial,helvetica,sans-serif;display:inline">So, you are saying that using curl you are able to access API using kerberos ticket but when you try to access the same API from the browser it does not work, right?</div><div style="font-family:arial,helvetica,sans-serif;display:inline">I don&#39;t use IE, but you need to set following options in &quot;about:config&quot; URL for Firefox to work properly with kerberos:<br><br> network.negotiate-auth.<wbr>delegation-uris = .<a target="_blank" href="http://ad.holding.com/">ad.holding.com</a><br> network.negotiate-auth.<wbr>trusted-uris = .<a target="_blank" href="http://ad.holding.com/">ad.holding.com</a><br> </div><div style="font-family:arial,helvetica,sans-serif;display:inline">If you have those options set, what exactly happen when you try to access ​<a target="_blank" href="https://kom-ad01-ovirt1.ad/">https://kom-ad01-ovirt1.ad</a>.<a target="_blank" href="http://holding.com/ovirt-engine/api">ho<wbr>lding.com/ovirt-engine/api</a></div><div style="font-family:arial,helvetica,sans-serif;display:inline">​</div> <div style="font-family:arial,helvetica,sans-serif;display:inline">​in Firefox?<br> </div><div style="font-family:arial,helvetica,sans-serif;display:inline">Martin Perina<br><br>​</div></div><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)"><div> </div><div>03.10.2016, 09:08, &quot;Martin Perina&quot; &lt;<a target="_blank" href="mailto:mperina@redhat.com">mperina@redhat.com</a>&gt;:</div><blockquote type="cite"><div><div style="font-family:arial,helvetica,sans-serif">Hi Aleksey,<br><br>in your last email you wrote that everything works (at least that&#39;s my understanding, email pasted below). So what exactly doesn&#39;t work for you?<br><br>Regards<br><br>Martin Perina<br><br><br>&gt; # kinit aleksey<br>&gt;<br>&gt; Password for <a target="_blank" href="mailto:aleksey@AD.HOLDING.COM">aleksey@AD.HOLDING.COM</a>: ***<br>&gt;<br>&gt; # klist<br>&gt;<br>&gt; Ticket cache: KEYRING:persistent:0:krb_<wbr>ccache_9W86VN9<br>&gt; Default principal: <a target="_blank" href="mailto:aleksey@AD.HOLDING.COM">aleksey@AD.HOLDING.COM</a><br>&gt;<br>&gt; Valid starting       Expires              Service principal<br>&gt; 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/<a target="_blank" href="mailto:AD.HOLDING.COM@AD.HOLDING.COM">AD.HOLDING.COM@AD.<wbr>HOLDING.COM</a><br>&gt;         renew until <span><span>10/07/2016 16:50:29</span></span><br>&gt;<br>&gt;<br>&gt; # curl --negotiate -u : -X GET -H &quot;Accept: application/xml&quot; -k<div style="font-family:arial,helvetica,sans-serif;display:inline"><a target="_blank" href="https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api">​​</a></div><a target="_blank" href="https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api">https://kom-ad01-ovirt1.ad.<wbr>holding.com/ovirt-engine/api</a><br>&gt;<br>&gt; &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;<br>&gt; &lt;api&gt;<br>&gt;  ... output truncated ...<br>&gt; &lt;/api&gt;<br>&gt;<br>&gt; It Works.<br>&gt; The browsers are configured.<br>&gt; Kerberos authentication for Windows web servers working successfully from Internet Explorer &amp; Forefox<br> </div></div><div> <div>On Mon, Oct 3, 2016 at 7:37 AM, <span>&lt;<a target="_blank" href="mailto:aleksey.maksimov@it-kb.ru">aleksey.maksimov@it-kb.ru</a>&gt;</span> wrote:<br> <blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">Up<br><br>30.09.2016, 18:55, &quot;<a target="_blank" href="mailto:aleksey.maksimov@it-kb.ru">aleksey.maksimov@it-kb.ru</a>&quot; &lt;<a target="_blank" href="mailto:aleksey.maksimov@it-kb.ru">aleksey.maksimov@it-kb.ru</a>&gt;:<br>&gt; Any other ideas?<br>______________________________<wbr>_________________<br>Users mailing list<br><a target="_blank" href="mailto:Users@ovirt.org">Users@ovirt.org</a><br><a target="_blank" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a></blockquote></div></div></blockquote></blockquote></div></div></div></blockquote></blockquote></div><br></div></div>