windows browsers send ntlm instead of kerberos tokens
Markus Moeller
huaraz at moeller.plus.com
Fri Aug 26 13:25:46 EDT 2005
Also can you do a kinit -k -t keytab HTTP/server successfully ?
Markus
"Julien ALLANOS" <julien.allanos at aql.fr> wrote in message
news:20050826172317.ta37izpe744kosc8 at webmail.aql.fr...
> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>> support. If you want them to have Kerberos credentials, Windows must
>>>> obtain them for you when you login to Windows using an Active Directory
>>>> account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>> credentials at login, that FF or IE might be able to use after?
>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
> given
> to me at login (verified by purging, logout and login again):
>
> * krbtgt/MY.DOMAIN.TLD at MY.DOMAIN.TLD
> * ldap/host.my.domain.tld/my.domain.tld at MY.DOMAIN.TLD
> * host/host.my.domain.tld at MY.DOMAIN.TLD
>
> However, IE or FF are still sending NTLM tickets. Any clue?
> --
> Julien ALLANOS
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list