Bug 20203

Summary:	WebKit does not delegate Kerberos credentials negotiation
Product:	WebKit	Reporter:	W. Michael Petullo <mike>
Component:	Page Loading	Assignee:	Nobody <webkit-unassigned>
Status:	UNCONFIRMED
Severity:	Enhancement	CC:	andrew.kerr33, ap
Priority:	P2	Keywords:	InRadar
Version:	525.x (Safari 3.1)
Hardware:	Mac
OS:	OS X 10.4

W. Michael Petullo

Reported 2008-07-28 17:10:20 PDT

I am using Safari 3.1.2. I have found that Safari does not connect to FreeIPA. FreeIPA is a web-based application that uses Kerberos for authentication. It requires that client browsers support the delegation of credentials negotiation. Safari is not able to login to FreeIPA. After viewing the logs on my Kerberos server (running on Fedora 9), it appears that Safari does not provide the Kerberos TGS with my user TGT. Other browsers work fine. See http://www.grolmsnet.de/kerbtut/credentialsdelegation.html for more information on how Firefox and Internet Explorer are configured to delegate credentials negotiation.

Attachments
Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2008-07-28 19:51:00 PDT

<rdar://problem/6108261>

Deirdre Saoirse Moen

Comment 2 2008-07-29 15:22:47 PDT

Developer had already filed <rdar://problem/6107768 >

Andrew Kerr

Comment 3 2009-11-11 19:04:53 PST

I can confirm the same issue using Safari 4.03 on Mac OS X 10.6. To reproduce the problem, you need: - Safari - A front-end web app which support Kerberos authentication - A back-end server which supports Kerberos authentication Safari can successfully authenticate via Kerberos to the front-end web app. But the front-end is *not* able to successfully delegate those same credentials to access authenticated services on the back-end server. By comparison, Firefox will also successfully authenticate to the front-end web app, as long as the web app's URL is included in Firefox's network.negotiate-auth.trusted-uris setting. If that was the only setting you changed in Firefox, then it would behave the same as Safari. BUT, if you also include the web app's URL in Firefox's network.negotiate-auth.delegation-uris, the web-app starts successfully authenticating to the back-end server. So the difference appears to be the network.negotiate-auth.delegation-uris setting in Firefox. Whatever FF does in relation to this setting seems to be the thing that Safari isn't doing.

Alexey Proskuryakov

Comment 4 2009-11-11 23:06:53 PST

> I can confirm the same issue using Safari 4.03 on Mac OS X 10.6. Please report this to Apple via <http://bugreport.apple.com> (despite comments 1 and 2).

Andrew Kerr

Comment 5 2009-11-12 14:36:26 PST

Reported to Apple. Bug id #7390225.

Note You need to log in before you can comment on or make changes to this bug.