windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS julien.allanos at aql.fr
Fri Aug 26 11:23:17 EDT 2005


Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:

> Julien ALLANOS wrote:
>
>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>
>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>> support.   If you want them to have Kerberos credentials, Windows must
>>> obtain them for you when you login to Windows using an Active Directory
>>> account.
>>>
>>> Jeffrey Altman
>>
>>
>> OK, but how can I be certain that Windows did really obtain the Kerberos
>> credentials at login, that FF or IE might be able to use after?
>
> Since you have MIT KFW installed you can list the contents of the
> MSLSA ccache with
>
> 	klist -c MSLSA:
>
> Otherwise, you can install one of the Microsoft tools such as
> kerbtray.exe that are available from the Microsoft download web site.
>

Thanks.

Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
to me at login (verified by purging, logout and login again):

* krbtgt/MY.DOMAIN.TLD at MY.DOMAIN.TLD
* ldap/host.my.domain.tld/my.domain.tld at MY.DOMAIN.TLD
* host/host.my.domain.tld at MY.DOMAIN.TLD

However, IE or FF are still sending NTLM tickets. Any clue?
-- 
Julien ALLANOS


More information about the Kerberos mailing list