I am using Safari 3.1.2. I have found that Safari does not connect to FreeIPA. FreeIPA is a web-based application that uses Kerberos for authentication. It requires that client browsers support the delegation of credentials negotiation. Safari is not able to login to FreeIPA. After viewing the logs on my Kerberos server (running on Fedora 9), it appears that Safari does not provide the Kerberos TGS with my user TGT. Other browsers work fine. See http://www.grolmsnet.de/kerbtut/credentialsdelegation.html for more information on how Firefox and Internet Explorer are configured to delegate credentials negotiation.
<rdar://problem/6108261>
Developer had already filed <rdar://problem/6107768 >
I can confirm the same issue using Safari 4.03 on Mac OS X 10.6. To reproduce the problem, you need: - Safari - A front-end web app which support Kerberos authentication - A back-end server which supports Kerberos authentication Safari can successfully authenticate via Kerberos to the front-end web app. But the front-end is *not* able to successfully delegate those same credentials to access authenticated services on the back-end server. By comparison, Firefox will also successfully authenticate to the front-end web app, as long as the web app's URL is included in Firefox's network.negotiate-auth.trusted-uris setting. If that was the only setting you changed in Firefox, then it would behave the same as Safari. BUT, if you also include the web app's URL in Firefox's network.negotiate-auth.delegation-uris, the web-app starts successfully authenticating to the back-end server. So the difference appears to be the network.negotiate-auth.delegation-uris setting in Firefox. Whatever FF does in relation to this setting seems to be the thing that Safari isn't doing.
> I can confirm the same issue using Safari 4.03 on Mac OS X 10.6. Please report this to Apple via <http://bugreport.apple.com> (despite comments 1 and 2).
Reported to Apple. Bug id #7390225.