[Freeipa-users] Problems with single signon with firefox
Rob Crittenden
rcritten at redhat.com
Sat Jul 30 19:02:04 UTC 2011
roland.kaeser at intersoft-networks.ch wrote:
> Hello
>
> I just installed freeipa on scientific linux 6.1. Installation worked
> find so far but I cannot logon to the web interface.
> Firefox is configured with the ca cert and single sign on settings.
> Login as admin via ssh works fine and I get the valid
> ticket.
> But when I open the ipa web interface I get only: Your kerberos ticket
> is no longer valid. Please run kinit and then click 'Retry'.
>
> In the titlebar I see : "_Logged in as: *user at FREEIPA.ORG*_**
> <https://freeipa.intersoft-networks.ch/ipa/ui/#>"
>
>
> This is a bit strange to me I cannot see where this error comes from.
> Has someone a hint for me
>
>
> Regards
>
> Roland
On the server side you can increase debug output by setting LogLevel to
debug in /etc/httpd/conf.d/nss.conf and restarting or you can
troubleshoot it from the client side by looking at:
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html
One important factor is that you are going to the server that we created
a web principal for. If your server has a CNAME, for example, you have
to use the A record. We do a fair bit of redirecting using mod_rewrite
to be sure you get to the right host but it isn't perfect.
rob
More information about the Freeipa-users
mailing list