Bug 20203 - WebKit does not delegate Kerberos credentials negotiation
Summary: WebKit does not delegate Kerberos credentials negotiation
Status: UNCONFIRMED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: Mac OS X 10.4
: P2 Enhancement
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-07-28 17:10 PDT by W. Michael Petullo
Modified: 2009-11-12 14:36 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description W. Michael Petullo 2008-07-28 17:10:20 PDT
I am using Safari 3.1.2. 

I have found that Safari does not connect to FreeIPA. FreeIPA is a web-based application that uses Kerberos for authentication. It requires that client browsers support the delegation of credentials negotiation.

Safari is not able to login to FreeIPA.

After viewing the logs on my Kerberos server (running on Fedora 9), it appears that Safari does not provide the Kerberos TGS with my user TGT.

Other browsers work fine. See http://www.grolmsnet.de/kerbtut/credentialsdelegation.html for more information on how Firefox and Internet Explorer are configured to delegate credentials negotiation.
Comment 1 Mark Rowe (bdash) 2008-07-28 19:51:00 PDT
<rdar://problem/6108261>
Comment 2 Deirdre Saoirse Moen 2008-07-29 15:22:47 PDT
Developer had already filed <rdar://problem/6107768 >
Comment 3 Andrew Kerr 2009-11-11 19:04:53 PST
I can confirm the same issue using Safari 4.03 on Mac OS X 10.6.

To reproduce the problem, you need:
- Safari
- A front-end web app which support Kerberos authentication
- A back-end server which supports Kerberos authentication

Safari can successfully authenticate via Kerberos to the front-end web app. But the front-end is *not* able to successfully delegate those same credentials to access authenticated services on the back-end server.

By comparison, Firefox will also successfully authenticate to the front-end web app, as long as the web app's URL is included in Firefox's network.negotiate-auth.trusted-uris setting. If that was the only setting you changed in Firefox, then it would behave the same as Safari. BUT, if you also include the web app's URL in Firefox's network.negotiate-auth.delegation-uris, the web-app starts successfully authenticating to the back-end server.

So the difference appears to be the network.negotiate-auth.delegation-uris setting in Firefox. Whatever FF does in relation to this setting seems to be the thing that Safari isn't doing.
Comment 4 Alexey Proskuryakov 2009-11-11 23:06:53 PST
> I can confirm the same issue using Safari 4.03 on Mac OS X 10.6.

Please report this to Apple via <http://bugreport.apple.com> (despite comments 1 and 2).
Comment 5 Andrew Kerr 2009-11-12 14:36:26 PST
Reported to Apple. Bug id #7390225.