Open Bug 523498 Opened 15 years ago Updated 2 years ago

Kerberos: unable to use multiple accounts using secure auth in separate realms

Categories

(MailNews Core :: Security, enhancement)

Product:
MailNews Core
Component:
Security
Version:
1.9.1 Branch
Platform:
x86
macOS
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: mfw113, Unassigned)

Details

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4 I have two accounts, both configured for secure auth. Accounts use two different kerberos realms. Thunderbird will use use ticket for the first account Reproducible: Always Steps to Reproduce: 1.setup multiple email accounts for secure auth in separate realms 2.check email Actual Results: First account used will get ticket and work fine, second account will not You cannot log in to ****.****.its.****.edu because you have enabled secure authentication and this server does not support it. To log in, turn off secure authentication for this account. Expected Results: Both accounts to work I have tickets for both accounts (some info replaced with ****) $ klist -A Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: *****@dce.*****.edu Valid Starting Expires Service Principal 10/20/09 19:17:26 10/21/09 05:17:45 krbtgt/dce.****.edu@dce.****.edu renew until 11/17/09 18:17:26 10/20/09 19:17:26 10/21/09 05:17:45 imap/****.****.****.edu@****.psu.edu renew until 11/17/09 18:17:26 10/20/09 19:36:43 10/21/09 05:17:45 imap/****.****.edu@****.psu.edu renew until 11/17/09 18:17:26 ------------------------------------------------------------------------------- Kerberos 5 ticket cache: 'API:1' Default principal: ****@****.ITS.****.EDU Valid Starting Expires Service Principal 10/20/09 19:53:20 10/21/09 05:53:46 krbtgt/****.ITS.*****.EDU@****.ITS.****.EDU renew until 10/20/09 19:53:20 10/20/09 19:53:33 10/21/09 05:53:46 imap/*****.*****.its.****.edu@*****.ITS.****.EDU renew until 10/20/09 19:53:20
Version: unspecified → 3.0
If I not mistaken this is limitation of GSSAPI code in Thunderbird we will pickup first available principal (default I suppose) and keep using it. Let see if I can reproduce it on Windows too.
Component: Account Manager → Security
Product: Thunderbird → MailNews Core
QA Contact: account-manager → security
Version: 3.0 → 1.9.1 Branch
CONFIRMing. This annoyed me too during testing.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Example: Kerberos at office, Kerberos setup at home, and a test server at MoMo.)
Severity: major → normal
Type: defect → enhancement
Summary: not able to use multiple accounts using secure auth in separate realms → Kerberos: unable to use multiple accounts using secure auth in separate realms
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.