Open Radar

 
26-Feb-2012 09:32 AM Christopher Schmidt:
Summary:

Safari appears to be unable to use GSSAPI (Kerberos) authentication for URLs that contain a CNAME instead of an A-record. (A post was made about this in ~2010 at https://discussions.apple.com/thread/2414517.) 

This behavior is not new: so far as I can tell, this has always been the case (I have never been able to authenticate via Safari to CNAME-based Kerberos authenticated services using Kerberos), so this is not a regression of any particular kind.

Example:
http://statusmeldungen.uni-paderborn.de contains the hostname statusmeldungen.uni-paderborn.de which is just a CNAME to haldus.uni-paderborn.de.

So the browser must request the service ticket HTTP/haldus.uni-paderborn.de

Firefox does this, but Safari tries to fetch HTTP/statusmeldungen.uni-paderborn.de which does not exist, so it fails.

Steps to Reproduce:
Configure kerberos authentication on a webserver which is served under a CNAME. Once this is done, visit the CNAME host in Safari. Observe that authentication fails (or falls back to non-Negotiate auth).

Expected Results:
Safari requests a ticket for the underlying target of the CNAME, and authentication succeeds.

Actual Results:
Safari requests a ticket for the CNAME, which does not have a service ticket, and authentication fails.

Regression:

Notes:
This behavior differs from IE, Firefox, and Chrome. (Chrome does have a command line option to duplicate the Safari behavior -- -–disable-auth-negotiate-cname-lookup -- but it's clearly only a debugging flag, not something that is enabled by default.)