Bug 7311 - Only Microsoft's built in kerberos implementation works on Windows
Summary: Only Microsoft's built in kerberos implementation works on Windows
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
Depends on:
Reported: 2019-02-14 15:14 CET by Samuel Mannehed
Modified: 2023-12-01 14:53 CET (History)
0 users

See Also:
Acceptance Criteria:


Description Samuel Mannehed cendio 2019-02-14 15:14:05 CET
You can't authenticate with an alternative kerberos implementation in the ThinLinc client on Windows. Only Microsoft's built in implementation works.

See bug 5816 for Heimdal Kerberos authentication.
Comment 2 Pierre Ossman cendio 2019-02-19 12:39:31 CET
The use case is that you in some cases want to use Kerberos authentication against a ThinLinc system that has absolutely nothing to do with the Active Directory domain that your local Windows machine is a part of.

Under Linux you would just do "kinit user@OTHER.REALM", but Windows lacks any such tools. So people install alternative Kerberos implementations for this.

For reference there also floats around a bunch of different patches to add support for this for Putty, so there is some precedence for supporting this model.
Comment 3 Pierre Ossman cendio 2023-12-01 14:12:18 CET
For reference, Firefox supports using GSSAPI instead of SSPI on Windows. Relevant settings are:

 * network.auth.use-sspi
 * network.negotiate-auth.using-native-gsslib
 * network.negotiate-auth.gsslib

Note You need to log in before you can comment on or make changes to this bug.