[CalendarServer-users] Kerberos fails with iCal (but authenticates in Firefox)

Arthur Prokosch arthurp at csail.mit.edu
Thu Jul 24 12:48:45 PDT 2008 

All --

I'm trying to get iCal to authenticate to caldavd using Kerberos, and as 
far as I can tell, it never tries: from the logs and traces, it appears 
that it accesses the given URL once without any authentication, then 
fails to retry based on the Www-authenticate: headers that it receives. 
  iCal can connect with Digest authentication, and browsers (eg Firefox) 
can connect using Kerberos, both with no problems.

Has anyone here gotten iCal's Kerberos authentication to work with 
Darwin Calendar Server?  When running on Linux?

Background:
  * caldavd (from dpkg, 1.2.dfsg-4) running on Debian 4.0 
(2.6.18-6-xen-amd64, root filesystem using user_xattr).
  * When using digest authentication (and passwords in accounts.xml), 
Sunbird and iCal can access calendars, creating and removing 
appointments and tasks.  Browsers (eg Firefox) can also log into 
protected URLs.
  * When using Kerberos authentication, Firefox can log into protected 
URLs (causing a new Kerberos ticket to appear within Kerberos.app), but 
iCal will return "Login Failed: Your password was rejected by the server 
julian.csail.mit.edu for the login calendartest." -- using an identical 
URL to the one that works in Firefox, 
<http://julian.csail.mit.edu:8008/principals/users/calendartest/>
  * Switching all URLs to https:// causes no change in behavior with any 
of the clients mentioned above (other than a radar bug I'd like to file 
as to iCal not trusting intermediate CAs, but I digress).
  * Using different machines and/or different kerberos principals 
reproduces the behavior with all clients.

Verbosity:
output of "klist" run locally (where clients are being run):
 > imaction:~ arthurp$ klist
 > Kerberos 5 ticket cache: 'API:Initial default ccache'
 > Default principal: calendartest at CSAIL.MIT.EDU
 >
 > Valid Starting     Expires            Service Principal
 > 07/24/08 14:23:15  07/25/08 00:23:15  krbtgt/CSAIL.MIT.EDU at CSAIL.MIT.EDU
 > 	renew until 07/31/08 14:23:15
 > 07/24/08 14:30:58  07/25/08 00:23:15 
HTTP/julian.csail.mit.edu at CSAIL.MIT.EDU
 > 	renew until 07/31/08 14:23:15

Entire error.log output corresponding to hitting "add account" in 
iCal.app through it displaying "Login failed":
 > 2008-07-24 14:36:21-0400 [-] [caldav-8008] 
[HTTPChannel,1,128.30.29.5] PROPFIND /principals/users/calendartest/ 
HTTP/1.1

Entire access.log output for same:
 > 128.30.29.5 - - [24/Jul/2008:14:36:21 -0400] "PROPFIND 
/principals/users/calendartest/ HTTP/1.1" 401 141 "-" "DAVKit/2.0 
(10.5.4; wrbt) iCal 3.0.4" [8
.9 ms]

If caldavd.plist, accounts.plist, and/or tcpdumps would be useful, let 
me know how best to send them.

thanks for any ideas,
-arthur prokosch
CSAIL, MIT.

More information about the calendarserver-users mailing list