I just went through teh motions of accessing the WUI from my laptop instead of running Firefox inside the appliance. I am sure others on this list know this already, but since I am pretty much a krb5 n00b, this was all new to me. I assume that you have the WUI appliance running on ovirt.home.net, and want to access it from your laptop at laptop.home.net (note that I changed the name of the WUI appliance, as my home network is not in the ovirt.org domain) * Make sure that ovirt.home.net and laptop.home.net can access each other on the network (e.g., by putting ovirt.home.net on a shared interface on its host) * Make sure that forward and reverse DNS for those two machines is set up properly, both on the laptop and on ovirt.home.net * Check proper DNS resolution again * Log into ovirt.home.net as root. * Set an explicit kerberos password for ovirtadmin # kinit -k -t /usr/share/ovirt-wui/ovirtadmin.tab ovirtadmin at PRIV.OVIRT.ORG # ipa-passwd Enter new password of your choice * Create a host and a HTTP service principal for ovirt.home.net # kinit admin at PRIV.OVIRT.ORG (password is ovirt) # ipa-addservice host/ovirt.watzmann.net at PRIV.OVIRT.ORG # ipa-addservice HTTP/ovirt.watzmann.net at PRIV.OVIRT.ORG * Add principals to the relevant keytabs (make backup copies of those before actually running these commands; breaking the keytabs is a great way to get to a place where nothing works) # kadmin.local kadmin.local: ktadd -k /etc/httpd/conf/ipa.keytab HTTP/ovirt.watzmann.net at PRIV.OVIRT.ORG kadmin.local: ktadd -k /etc/krb5.keytab host/ovirt.watzmann.net at PRIV.OVIRT.ORG * Restart the affected services (not quite sure if that is really needed) # service krb5kdc restart # service httpd restart * Log into laptop.home.net as root * Add the following block in the [realms] section of /etc/krb5.conf PRIV.OVIRT.ORG = { kdc = ovirt.home.net:88 admin_server = ovirt.home.net:749 default_domain = priv.ovirt.org } * Add the line 'ovirt.home.net = PRIV.OVIRT.ORG' in the [domain_realms] section of /etc/krb5.conf * Log into laptop.home.net as you * Get a forwardable, addressless ticket (addressless might be overkill, but if it's not forwardable, /var/log/krb5kdc.log on ovirt.home.net complains a lot about a non-frowardable ticket) > kinit -A -f ovirtadmin at PRIV.OVIRT.ORG (use the password that you set previously with ipa-passwd) * In Firefox, setup auth negotiation through Kerberos: * Open 'about:config' and search for 'negotiate' * Change the following settings: network.negotiate-auth.trusted-uris=ovirt.home.net network.negotiate-auth.delegation-uris=ovirt.home.net network.negotiate-auth.using-native-gsslib=true (If you have other uri's in the trusted-uris or delegation-uris, these are comma-separated lists of domains, hosts or actual URI's) * Go to http://ovirt.home.net/ovirt and (hopefully) admire the Dashboard David