Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 6. Configuring Applications for Single Sign-On

After a smart card is enrolled, the smart card can be used for SSL client authentication and S/MIME email applications. The PKCS #11 module used by these applications, by default, is located in /usr/lib/libcoolkeypk11.so.

6.1. Configuring Firefox to Use Kerberos for Single Sign-On
复制链接

Firefox can use Kerberos for single sign-on to intranet sites and other protected websites. For Firefox to use Kerberos, it first has to be configured to send Kerberos credentials to the appropriate KDC.
  1. In the address bar of Firefox, type about:config to display the list of current configuration options.
  2. In the Filter field, type negotiate to restrict the list of options.
  3. Double-click the network.negotiate-auth.trusted-uris entry.
  4. Enter the name of the domain against which to authenticate.
    View larger image
  5. Next, configure the network.negotiate-auth.delegation-uris entry, using the same domain as for network.negotiate-auth.trusted-uris.

Note

Even after Firefox is configured to pass Kerberos credentials, it still requires a valid Kerberos ticket to use. To generate a Kerberos ticket, use the kinit command and supply the user password for the user on the KDC. 
[jsmith@host ~] $ kinit
Password for jsmith@EXAMPLE.COM:
Copy to Clipboard Toggle word wrap
If Kerberos authentication is not working, turn on verbose logging for the authentication process.
  1. Close all instances of Firefox.
  2. In a command prompt, export values for the NSPR_LOG_* variables: 
    export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/moz.log
    Copy to Clipboard Toggle word wrap
  3. Restart Firefox from that shell, and visit the website where Kerberos authentication is failing.
  4. Check the /tmp/moz.log file for error messages with nsNegotiateAuth in the message.
There are several common errors that occur with Kerberos authentication.
  • The first error says that no credentials have been found. 
    -1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken()
-1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure
No credentials cache found
    Copy to Clipboard Toggle word wrap
    This means that there are no Kerberos tickets (meaning that they expired or were not generated). To fix this, run kinit to generate the Kerberos ticket and then open the website again.
  • The second potential error is if the browser is unable to contact the KDC, with the message Server not found in Kerberos database. 
    -1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken()
-1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure
Server not found in Kerberos database
    Copy to Clipboard Toggle word wrap
    This is usually a Kerberos configuration problem. The correct entries must be in the [domain_realm] section of the /etc/krb5.conf file to identify the domain. For example: 
    .example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
    Copy to Clipboard Toggle word wrap
  • If there are no errors in the log, then the problem could be that an HTTP proxy server is stripping off the HTTP headers required for Kerberos authentication. Try to connect to the site using HTTPS, which allows the request to pass through unmodified.
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat