site_archiver@lists.apple.com Delivered-To: macnetworkprog@lists.apple.com There is already a fix for this in the pipeline. jeremy On Sep 30, 2005, at 9:20 PM, Scooter Morris wrote: if (!strcmp(servicetype, "https")) servicetype[4] = '\0'; + + if (!strcmp(servicetype, "http")) + strcpy(servicetype, "HTTP"); -- scooter Becky - SPNEGO 'spec' : http://msdn.microsoft.com/library/default.asp?url=""> << [....] 1. Create the SPNs associated with this account on the KDC: setspn—A host/mysrvr.proseware.com mysrvr setspn—A HTTP/mysrvr.proseware.com mysrvr *Note* Use upper-case "HTTP" to match the way Internet Explorer builds SPNs. Alternatively, you can run ktpass (as shown below) to create the SPNs. When using the "*-princ*" option of ktpass, you are specifying the Kerberos
_______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/site_archiver%40lists.... We really need a fix for this problem! The problem is pretty clear, the CFNetwork layer is assuming that the scheme (e.g. ftp, http, https) can be mapped directly into a service principal. This works for ftp, but not for http (they test for and drop the 's'). Here is a patch: --- CFHTTPAuthentication.c 2005-09-30 21:09:05.118012864 -0700 +++ CFHTTPAuthentication.c.fixed 2005-09-30 21:11:30.516734591 -0700 @@ -2052,16 +2052,19 @@ UInt8* hostname = _CFStringGetOrCreateCString(alloc, host, buf1, &len, kCFStringEncodingASCII); UInt8* servicetype; len = sizeof(buf2); servicetype = _CFStringGetOrCreateCString (alloc, scheme, buf2, &len, kCFStringEncodingASCII); if (!GetSvcTicketForHost(hostname, servicetype, &tktLen, &ticket)) { result->_preferred = current_scheme; } if (hostname != buf1) CFAllocatorDeallocate(alloc, hostname); All this does is check for "http" and maps it to "HTTP" before calling GetSvcTicketForHost. I believe that this will fix the problem and not have any deleterious impact. Becky Willrich wrote: I looked at the bug - looks like the spec sez that string should be case-insensitive. Where precisely is this failing? That is, what server is requiring precisely the uppercase string? Kerberos 5 principal names are normally case sensitive. Just about every other server principal uses a lower case service name; SPNEGO is the odd one out. In fact the earliest versions of the SPNEGO drafts did specify http/<hostname>; however this was broken in later drafts, and in deployed code. Simple explanation of the normal convention in the java docs here: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/ KerberosReq.html Kitten hasn't changed this, because it would break the installed base. _______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/jwyld% 40apple.com This email sent to jwyld@apple.com This email sent to site_archiver@lists.apple.com