windows browsers send ntlm instead of kerberos tokens

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Aug 26 10:31:37 EDT 2005


Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
support.   If you want them to have Kerberos credentials, Windows must
obtain them for you when you login to Windows using an Active Directory
account.

Jeffrey Altman


Julien ALLANOS wrote:
> Hello,
> 
> I'm experiencing a strange thing again. I have a Windows 2003 server with
> apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
> login as a simple user and type klist at the command prompt, I can't see I have
> no TGT. From what I've understood about KRB5, a TGT should have been granted at
> user login, and thus should be visible with klist.
> 
> Accessing the web server using a well configured Internet Explorer or Firefox, I
> can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
> Kerberos tokens, in response to the Negotiate authentication the server is
> asking for.
> 
> With kinit -5, I can get a TGT without a problem, as well as with Leash. But
> launching the browsers again after that, and requesting the web server URL
> again, leads to a failure.
> 
> As I don't want to use NTLM but Kerberos5 and I don't really understand what is
> going on, I'm asking for help here. Is my client session isn't configured to
> ask for a TGT at login? Can't it find the KDC? Is it failing because client
> session is opened on the same box as the KDC?
> 
> Thanks for any help.

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list