[24544] in Kerberos

home help back first fref pref prev next nref lref last post

Re: windows browsers send ntlm instead of kerberos tokens

daemon@ATHENA.MIT.EDU (Julien ALLANOS)
Mon Aug 29 21:21:46 2005

Message-ID: <20050829100327.2ktocy05vreosccs@webmail.aql.fr>
Date: Mon, 29 Aug 2005 10:03:27 +0200
From: Julien ALLANOS <julien.allanos@aql.fr>
To: kerberos@mit.edu
In-Reply-To: <denjb8$bjs$1@sea.gmane.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset=UTF-8;
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Quoting Markus Moeller <huaraz@moeller.plus.com>:

> Also can you do a kinit -k -t keytab HTTP/server successfully ?
>
> Markus
>
>
> "Julien ALLANOS" <julien.allanos@aql.fr> wrote in message
> news:20050826172317.ta37izpe744kosc8@webmail.aql.fr...
>> Quoting Jeffrey Altman <jaltman2@nyc.rr.com>:
>>
>>> Julien ALLANOS wrote:
>>>
>>>> Quoting Jeffrey Altman <jaltman2@nyc.rr.com>:
>>>>
>>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>>> support.   If you want them to have Kerberos credentials, Windows must
>>>>> obtain them for you when you login to Windows using an Active Directory
>>>>> account.
>>>>>
>>>>> Jeffrey Altman
>>>>
>>>>
>>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>>> credentials at login, that FF or IE might be able to use after?
>>>
>>> Since you have MIT KFW installed you can list the contents of the
>>> MSLSA ccache with
>>>
>>> klist -c MSLSA:
>>>
>>> Otherwise, you can install one of the Microsoft tools such as
>>> kerbtray.exe that are available from the Microsoft download web site.
>>>
>>
>> Thanks.
>>
>> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
>> given
>> to me at login (verified by purging, logout and login again):
>>
>> * krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
>> * ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
>> * host/host.my.domain.tld@MY.DOMAIN.TLD
>>
>> However, IE or FF are still sending NTLM tickets. Any clue?

OK guys, thanks for your answsers.

Yes, my browsers are correctly configured.

Actually it might be a hostname issue: the domain is my.domain.tld, my
webserver/AD/KDC is host.my.domain.tld and has a CNAME for my.domain.tld. I
also want to access the webserver via http://my.domain.tld/. The keytab was
generated for the HTTP/host.my.domain.tld@MY.DOMAIN.TLD principal, that's why:

  kinit -5 -k -t keytab HTTP/host.my.domain.tld@MY.DOMAIN.TLD

works, but not:

  kinit -5 -k -t keytab HTTP/my.domain.tld@MY.DOMAIN.TLD

The strange thing is that I've added another box to the domain, added both
hostnames to FF's auto nego parameters and tried to access both URLs from this
new box, but I get the same thing (a NTLM token is sent), and ethereal doesn't
show any traffic on TCP port 88.

Any help please?
-- 
Julien ALLANOS
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post