[ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

Martin Perina mperina at redhat.com
Mon Oct 3 02:56:43 EDT 2016


On Mon, Oct 3, 2016 at 8:52 AM, <aleksey.maksimov at it-kb.ru> wrote:

>  > network.negotiate-auth.delegation-uris = .ad.holding.com
>  > network.negotiate-auth.trusted-uris = .ad.holding.com
>
> Yes. Configured
>
> The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and
> Firefox opens without problems and without password prompts
>
> But when opening links from start page...
>
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/
> userportal/?locale=en_US
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
>
> ...opens a oVirt form prompting for credentials with a single profile
> "internal"
>

​Ahh, so kerberos SSO works fine for API, but not for portals. Could you
please share your Apache configuration with oVirt kerberos configuration?
Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf

Thanks

Martin Perina
​


>
>
> 03.10.2016, 09:37, "Martin Perina" <mperina at redhat.com>:
>
>
>
> On Mon, Oct 3, 2016 at 8:18 AM, <aleksey.maksimov at it-kb.ru> wrote:
>
>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>
>
> ​It's possible and it's working fine when everything is properly set up.
> But please bear in mind kerberos SSO is one of the most complicated oVirt
> setup, but usually the error is on kerberos side (environment issues on the
> client).
>
> So, you are saying that using curl you are able to access API using
> kerberos ticket but when you try to access the same API from the browser it
> does not work, right?
> I don't use IE, but you need to set following options in "about:config"
> URL for Firefox to work properly with kerberos:
>
>  network.negotiate-auth.delegation-uris = .ad.holding.com
>  network.negotiate-auth.trusted-uris = .ad.holding.com
>
> If you have those options set, what exactly happen when you try to access ​
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>>
> ​in Firefox?
>
> Martin Perina
>
>>
>
> 03.10.2016, 09:08, "Martin Perina" <mperina at redhat.com>:
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for aleksey at AD.HOLDING.COM: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: aleksey at AD.HOLDING.COM
> >
> > Valid starting       Expires              Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM at AD.
> HOLDING.COM
> >         renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> ​​ <https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <api>
> >  ... output truncated ...
> > </api>
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksimov at it-kb.ru> wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksimov at it-kb.ru" <aleksey.maksimov at it-kb.ru
> >:
> > Any other ideas?
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161003/39330a2d/attachment-0001.html>


More information about the Users mailing list