Kerberos ticket forwarding doesn't work in Safari

Number:rdar://6644527 Date Originated:2009/03/04
Status:Open Resolved:
Product:Safari Product Version:3, 4
Classification:Security Reproducible:Always
04-Mar-2009 02:34 AM Michael Lowry:
Both Safari 3 and the public beta of Safari 4 can do SPNEGO authentication, and can use the user's Kerberos credentials to authenticate with a web server, provided that the user has already been granted a Kerberos ticket.

However, Safari does not appear to be able to forward forwardable Kerberos tickets to a worker program running on the web server. This prevents some web applications that rely on such tickets for authentication from working.

Steps to reproduce:
1. Obtain a forwardable Kerberos ticket. This can be done at login if the user is a Mobile (Active Directory) user and the proper settings for obtaining a forwardable ticket have been entered into /Library/Preferences/ Otherwise, it can be done by running 'kinit -f username' from the command line.
2. Verify that a forwardable ticket-granting ticket has been received. Do this by running 'klist -f' from the command line. Sample output from my machine:
$ klist -f
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: mlo@ZURICH.IBM.COM

Valid Starting     Expires            Service Principal
03/04/09 11:18:21  03/04/09 21:18:21  krbtgt/ZURICH.IBM.COM@ZURICH.IBM.COM
        renew until 03/11/09 11:18:21, FPRIA

The F in the flags (FPRIA) means that the ticket is forwardable.
3. Run Safrai and navigate to a web page that uses Kerberos for authentication. This much will work.
4. Navigate to a part of the page that forwards the user's credentials to a worker program on the web server.

Expected Results:
The web server will be able to pass the user's kerberos ticket to the worker program. This program will be able to authenticate the user. It will do its work and the web server will be able to serve the page the user requested.

Actual Results:
Safari does not provide a forwardable Kerberos ticket to the web server. When the web server spawns the worker program, the worker program does not receive the user's credentials. It fails to authenticate the user, and is unable to proceed. The web page fails to load.

Firefox properly handles forwardable Kerberos tickets.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!