[24546] in Kerberos

home help back first fref pref prev next nref lref last post

Re: windows browsers send ntlm instead of kerberos tokens

daemon@ATHENA.MIT.EDU (Julien ALLANOS)
Tue Aug 30 03:45:09 2005

Message-ID: <20050830093540.s2cc9c1pjbfcckgk@webmail.aql.fr>
Date: Tue, 30 Aug 2005 09:35:40 +0200
From: Julien ALLANOS <julien.allanos@aql.fr>
To: kerberos@mit.edu
In-Reply-To: <0bd501c5ad2e$ec8a61c0$0801a8c0@home>
MIME-Version: 1.0
Content-Type: text/plain;
	charset=UTF-8;
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
cc: Markus <markus_moeller@compuserve.com>
Errors-To: kerberos-bounces@mit.edu

Quoting Markus <markus_moeller@compuserve.com>:

> Julien,
>
> as far as I am aware you can not use cnames. Normally the 
> client/server uses a call to gss_import_name which canonicalises the 
> hostname from the cname to the A record. If you capture the traffic 
> on port 88 on the client you should see a TGS-REQ for 
> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>
> Regards
> Markus
>

As I've already said before, I see no traffic between the client and 
the server
(port 88). The client immediately send a NTLM token.

If I could make Kerberos working, do you think a keytab with
HTTP/host.my.domain.tld@MY.DOMAIN.TLD would be enough?
-- 
Julien ALLANOS
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post