Hi All,

AM 4.0.1-88.

Redhat Admin Console, Redhat Identity Provider.

When attempting to sso into an application setup for kerberos
authentication, we're finding Internet Explorer (8) fallback to our
custom login page unexpectantly. Using Chrome, kerberos desktop SSO
works fine. When firefox setup for kerberos, desktop sso works fine as
well. The only information available in the idp tomcat log when we
attempt to access the application using IE is -"Application:
Authentication method kerberos requires additional interaction.-".

We have another test environment which is currently built using SLES,
and has 2 idp's and a load balancer in front of them. Kerberos works
fine in this environment, when the IDP base url is setup as the dns name
of the load balancer. Load balancer on port 443 forwards traffic to
ports 8443 of the idp's.

In the problem environment, without a load balancer we have tried having
a IDP base URL of https://serverfqdn:8443, but ran into the kerberos
problem as described above (ie not working, ff & chrome ok). We then
created a cname record pointing at the serverfqdn, with a dnsname more
in tune with the dnsname of our test environment. This was to try and
rule in / out any problems with IE trusted sites etc.

This again gives us the same problem where kerberos sso works in FF &
Chrome, but not IE.

Any ideas?

gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=52021