Closed Bug 391493 Opened 18 years ago Closed 14 years ago

Should SPNEGO/Kerberos work?

Categories

(Calendar :: Build Config, enhancement)

Product:
Calendar
Component:
Build Config
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: agx, Unassigned)

Details

Attachments

(1 file)

Enable auth extension
414 bytes, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.1.5) Gecko/20070719 Iceweasel/2.0.0.5 (Debian-2.0.0.5-2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4pre) Gecko/20070807 I'tried using SPNEGO with a valid kerberos ticket to authenticate against the caldav server (Apple's calendarserver). While this works fine when accessing the resource with firefox 2.0 acessing the resource with sunbird 0.5 always gives me the password dialog and I couldn't see any SPNEGO traffic in tcpdump. I set network.negotiate-auth.trusted-uris but with no success. Should this work in a current release? We'd need this feature quiet badly to extend our testing to more users. Could you give hints on howto start implementing this? Reproducible: Always Steps to Reproduce: 1. Set trusted uris to http://calendarserver.example.com 2. Use http://calendarserver.example.com:8008/calendars/users/test/calendar as caldav url Actual Results: Password Dialog Expected Results: No Password Dialog due to valid kerberos TGT
Enabling the auth extension enables Kerberos/SPNEGO, please add this to future builds
Please provide patches against the mozilla cvs repository, not against the Debian code repository.
I just added the patch to show what to do: enable the auth extension in the default build.
Comment on attachment 276095 [details] [diff] [review] Enable auth extension >- --enable-extensions=default,lightning \ >+ --enable-extensions=default,lightning,auth \ It seems that your are changing the Thunderbird build configuration. Does this have an effect on the Lightning extension at all? Otherwise this doesn't look like a Lightning bug and should be moved to Thunderbird to let the Thunderbird developers decide on this.
No, this is actually for sunbird (standalone), I didn't care about lightning too much since debugging looks harder.
This is, at any rate, a Build Config bug rather than a CalDAV Provider one; changing component. It does seem reasonable to me to enable SPNEGO in the default Sunbird config, given that Apple's CalendarServer is going to support kerberos auth.
Component: Provider: CalDav → Build Config
QA Contact: caldav-provider → build
I've just submitted a patch to rscds, which does now support kerberos authentication through mod_auth_kerb. Actual support for this feauture is therefore in place on the server-side.
http://developer.mozilla.org/en/docs/Integrated_Authentication has some information regarding SPNEGO in Mozilla land. As far as I understand the SPNEGO/Kerberos functionality depends on the operating system. Reporter, maybe you can try again after reading these instructions. There also exist many discussions on mailinglists when you search for "spnego firefox" that may help you. -> Nominating for resolving as INVALID.
Reading the authentication page you supplied, it still seems we need to enable the auth module for sunbird to allow negotiate authentication.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I saw this checkin today regarding kerberos. Maybe it is useful for fixing this bug: http://hg.mozilla.org/comm-central/rev/73e75f355c99
Comming from Bug #435854: Yes kerberos works. You just have to set network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris correctly. If you serch for Firefox and Kerberos you should find a manual what to insert.
I tried to check what the server returns. It seems to be in my case (zimbra): $ curl -vk https://server.example.com/dav/XXXXX/Calendar < HTTP/1.1 401 must authenticate < Server: XXXXXXXXXXXX < Date: Tue, 09 Mar 2010 05:56:51 GMT < Content-Type: text/html; charset=iso-8859-1 < Connection: keep-alive < WWW-Authenticate: BASIC realm="XXXXXXXX" < Cache-Control: must-revalidate,no-cache,no-store < Content-Length: 1415 So it seems my server is not advertising supports for negotiate auth. I would suggest anybody trying to use negotiate auth unsuccessfully to first check the server on the low level if that auth type is advertised.
Marking WFM per comment 11. Moritz, thanks for confirming. If someone has a link to a good howto on what to insert in those prefs, please link here.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: