windows browsers send ntlm instead of kerberos tokens

[Julien ALLANOS]

Hello,

I'm experiencing a strange thing again. I have a Windows 2003 server with
apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
login as a simple user and type klist at the command prompt, I can't see I have
no TGT. From what I've understood about KRB5, a TGT should have been granted at
user login, and thus should be visible with klist.

Accessing the web server using a well configured Internet Explorer or Firefox, I
can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
Kerberos tokens, in response to the Negotiate authentication the server is
asking for.

With kinit -5, I can get a TGT without a problem, as well as with Leash. But
launching the browsers again after that, and requesting the web server URL
again, leads to a failure.

As I don't want to use NTLM but Kerberos5 and I don't really understand what is
going on, I'm asking for help here. Is my client session isn't configured to
ask for a TGT at login? Can't it find the KDC? Is it failing because client
session is opened on the same box as the KDC?

Thanks for any help.
-- 
Julien ALLANOS