windows browsers send ntlm instead of kerberos tokens
Markus Moeller
huaraz at moeller.plus.com
Fri Aug 26 13:20:10 EDT 2005
Have you created a HTTP/server principal and configured IE with integrated
windows authentication and FF as follows ?
select URL about:config
in the filter write nego
You should see two entries double click on them and and the domains for
which you want to have SPNEGO e.g. test.com
I hope these are not too basic questions.
Regards
Markus
"Julien ALLANOS" <julien.allanos at aql.fr> wrote in message
news:20050826172317.ta37izpe744kosc8 at webmail.aql.fr...
> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>> support. If you want them to have Kerberos credentials, Windows must
>>>> obtain them for you when you login to Windows using an Active Directory
>>>> account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>> credentials at login, that FF or IE might be able to use after?
>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
> given
> to me at login (verified by purging, logout and login again):
>
> * krbtgt/MY.DOMAIN.TLD at MY.DOMAIN.TLD
> * ldap/host.my.domain.tld/my.domain.tld at MY.DOMAIN.TLD
> * host/host.my.domain.tld at MY.DOMAIN.TLD
>
> However, IE or FF are still sending NTLM tickets. Any clue?
> --
> Julien ALLANOS
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list