> network.negotiate-auth.delegation-uris = .ad.holding.com
> network.negotiate-auth.trusted-uris = .ad.holding.com
Yes. Configured
The URL
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and
Firefox opens without problems and without password prompts
But when opening links from start page...
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/
userportal/?locale=en_US
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
...opens a oVirt form prompting for credentials with a single profile
"internal"
Ahh, so kerberos SSO works fine for API, but not for portals. Could you
please share your Apache configuration with oVirt kerberos configuration?
Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
Thanks
Martin Perina
03.10.2016, 09:37, "Martin Perina" <mperina(a)redhat.com>:
On Mon, Oct 3, 2016 at 8:18 AM, <aleksey.maksimov(a)it-kb.ru> wrote:
Hello, Martin
Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
successfully from Internet Explorer & Forefox.
Kerberos authentication NOT working with oVirt Web-Portals.
I expect that the users opening the oVirt web portal in the browser did
not enter a password, and used instead of the transparent sign-on using
Kerberos.
It is impossible ??
It's possible and it's working fine when everything is properly set up.
But please bear in mind kerberos SSO is one of the most complicated oVirt
setup, but usually the error is on kerberos side (environment issues on the
client).
So, you are saying that using curl you are able to access API using
kerberos ticket but when you try to access the same API from the browser it
does not work, right?
I don't use IE, but you need to set following options in "about:config"
URL for Firefox to work properly with kerberos:
network.negotiate-auth.delegation-uris = .ad.holding.com
network.negotiate-auth.trusted-uris = .ad.holding.com
If you have those options set, what exactly happen when you try to access
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
in Firefox?
Martin Perina
03.10.2016, 09:08, "Martin Perina" <mperina(a)redhat.com>:
Hi Aleksey,
in your last email you wrote that everything works (at least that's my
understanding, email pasted below). So what exactly doesn't work for you?
Regards
Martin Perina
> # kinit aleksey
>
> Password for aleksey(a)AD.HOLDING.COM: ***
>
> # klist
>
> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> Default principal: aleksey(a)AD.HOLDING.COM
>
> Valid starting Expires Service principal
> 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/AD.HOLDING.COM@AD.
HOLDING.COM
> renew until 10/07/2016 16:50:29
>
>
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
<
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>
> <?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
> <api>
> ... output truncated ...
> </api>
>
> It Works.
> The browsers are configured.
> Kerberos authentication for Windows web servers working successfully
from Internet Explorer & Forefox
On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksimov(a)it-kb.ru> wrote:
Up
30.09.2016, 18:55, "aleksey.maksimov(a)it-kb.ru" <aleksey.maksimov(a)it-kb.ru
>:
> Any other ideas?
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users