[24516] in Kerberos

home help back first fref pref prev next nref lref last post

windows browsers send ntlm instead of kerberos tokens

daemon@ATHENA.MIT.EDU (Julien ALLANOS)
Fri Aug 26 10:09:30 2005

Message-ID: <20050826160046.dcpvnj42vvpc0k40@webmail.aql.fr>
Date: Fri, 26 Aug 2005 16:00:46 +0200
From: Julien ALLANOS <julien.allanos@aql.fr>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain;
	charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hello,

I'm experiencing a strange thing again. I have a Windows 2003 server with
apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
login as a simple user and type klist at the command prompt, I can't see I have
no TGT. From what I've understood about KRB5, a TGT should have been granted at
user login, and thus should be visible with klist.

Accessing the web server using a well configured Internet Explorer or Firefox, I
can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
Kerberos tokens, in response to the Negotiate authentication the server is
asking for.

With kinit -5, I can get a TGT without a problem, as well as with Leash. But
launching the browsers again after that, and requesting the web server URL
again, leads to a failure.

As I don't want to use NTLM but Kerberos5 and I don't really understand what is
going on, I'm asking for help here. Is my client session isn't configured to
ask for a TGT at login? Can't it find the KDC? Is it failing because client
session is opened on the same box as the KDC?

Thanks for any help.
-- 
Julien ALLANOS
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post