[24520] in Kerberos
Re: windows browsers send ntlm instead of kerberos tokens
daemon@ATHENA.MIT.EDU (Julien ALLANOS)
Fri Aug 26 11:31:46 2005
Message-ID: <20050826172317.ta37izpe744kosc8@webmail.aql.fr>
Date: Fri, 26 Aug 2005 17:23:17 +0200
From: Julien ALLANOS <julien.allanos@aql.fr>
To: kerberos@mit.edu
In-Reply-To: <VhGPe.19606$%w.17517@twister.nyc.rr.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset=UTF-8;
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Quoting Jeffrey Altman <jaltman2@nyc.rr.com>:
> Julien ALLANOS wrote:
>
>> Quoting Jeffrey Altman <jaltman2@nyc.rr.com>:
>>
>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>> support. If you want them to have Kerberos credentials, Windows must
>>> obtain them for you when you login to Windows using an Active Directory
>>> account.
>>>
>>> Jeffrey Altman
>>
>>
>> OK, but how can I be certain that Windows did really obtain the Kerberos
>> credentials at login, that FF or IE might be able to use after?
>
> Since you have MIT KFW installed you can list the contents of the
> MSLSA ccache with
>
> klist -c MSLSA:
>
> Otherwise, you can install one of the Microsoft tools such as
> kerbtray.exe that are available from the Microsoft download web site.
>
Thanks.
Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
to me at login (verified by purging, logout and login again):
* krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
* ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
* host/host.my.domain.tld@MY.DOMAIN.TLD
However, IE or FF are still sending NTLM tickets. Any clue?
--
Julien ALLANOS
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos