[24552] in Kerberos

home help back first fref pref prev next nref lref last post

Re: windows browsers send ntlm instead of kerberos tokens

daemon@ATHENA.MIT.EDU (Markus Moeller)
Tue Aug 30 15:32:40 2005

Message-Id: <200508300808.j7U886Ge018719@pacific-carrier-annex.mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Mime-Version: 1.0
From: Markus Moeller <huaraz@moeller.plus.com>
To: Julien ALLANOS <julien.allanos@aql.fr>
Date: Tue, 30 Aug 2005 09:07:53 +0100
cc: kerberos@mit.edu
Reply-To: huaraz@moeller.plus.com
Errors-To: kerberos-bounces@mit.edu

Julian,

I think creating a keytab with HTTP/host.my.domain.tld@MY.DOMAIN.TLD should be
enough.

Regards
Markus

Julien ALLANOS wrote:
> 
> Quoting Markus <markus_moeller@compuserve.com>:
> 
>> Julien,
>>
>> as far as I am aware you can not use cnames. Normally the 
>> client/server uses a call to gss_import_name which canonicalises the 
>> hostname from the cname to the A record. If you capture the traffic on 
>> port 88 on the client you should see a TGS-REQ for 
>> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>>
>> Regards
>> Markus
>>
> 
> As I've already said before, I see no traffic between the client and the 
> server
> (port 88). The client immediately send a NTLM token.
> 
> If I could make Kerberos working, do you think a keytab with
> HTTP/host.my.domain.tld@MY.DOMAIN.TLD would be enough?


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post