[ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

Martin Perina mperina at redhat.com
Mon Oct 3 02:37:02 EDT 2016


On Mon, Oct 3, 2016 at 8:18 AM, <aleksey.maksimov at it-kb.ru> wrote:

>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>

​It's possible and it's working fine when everything is properly set up.
But please bear in mind kerberos SSO is one of the most complicated oVirt
setup, but usually the error is on kerberos side (environment issues on the
client).

So, you are saying that using curl you are able to access API using
kerberos ticket but when you try to access the same API from the browser it
does not work, right?
I don't use IE, but you need to set following options in "about:config" URL
for Firefox to work properly with kerberos:

 network.negotiate-auth.delegation-uris = .ad.holding.com
 network.negotiate-auth.trusted-uris = .ad.holding.com

If you have those options set, what exactly happen when you try to access ​
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
​

​in Firefox?

Martin Perina

​

>
> 03.10.2016, 09:08, "Martin Perina" <mperina at redhat.com>:
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for aleksey at AD.HOLDING.COM: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: aleksey at AD.HOLDING.COM
> >
> > Valid starting       Expires              Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM at AD.
> HOLDING.COM
> >         renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> ​​
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <api>
> >  ... output truncated ...
> > </api>
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksimov at it-kb.ru> wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksimov at it-kb.ru" <aleksey.maksimov at it-kb.ru
> >:
> > Any other ideas?
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161003/d0db4d0b/attachment.html>


More information about the Users mailing list