windows browsers send ntlm instead of kerberos tokens

Jonathan Stephens jonsteph at microsoft.com
Fri Aug 26 16:01:17 EDT 2005


I can't speak for FireFox, but IE will not use Kerberos for
authentication if the site is in the Internet zone.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx

The second common cause is that Internet Explorer 6.0 is attempting to
access a site located in the Internet zone. Internet zone sites are
prevented from using Integrated Windows authentication because these
protocols do not typically work through Web proxies, among other
reasons. If a site is located in the Internet zone, Internet Explorer
6.0 does not attempt to use Kerberos authentication, and automatically
tries NTLM. In all versions of Internet Explorer, when accessing a Web
site to which you want to use Kerberos authentication, you must verify
that the Web site appears as being in the local intranet zone. An icon
in the lower right corner of the Internet Explorer window indicates what
zone a Web site is in. It displays "Internet" for the Internet zone and
"Local Intranet" for the intranet zone. If the Web site appears as being
in the Internet zone, you must manually add the site to the local
intranet sites list.


Jonathan Stephens [MS]
--
This posting is provided "AS IS" with no warranties, and confers no
rights.

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Markus Moeller
Sent: Friday, August 26, 2005 1:26 PM
To: kerberos at mit.edu
Subject: Re: windows browsers send ntlm instead of kerberos tokens

Also can you do a kinit -k -t keytab HTTP/server successfully ?

Markus


"Julien ALLANOS" <julien.allanos at aql.fr> wrote in message
news:20050826172317.ta37izpe744kosc8 at webmail.aql.fr...
> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their
Kerberos
>>>> support.   If you want them to have Kerberos credentials, Windows
must
>>>> obtain them for you when you login to Windows using an Active 
>>>> Directory account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the 
>>> Kerberos credentials at login, that FF or IE might be able to use
after?
>>
>> Since you have MIT KFW installed you can list the contents of the 
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as 
>> kerbtray.exe that are available from the Microsoft download web site.
>>
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets 
> are given to me at login (verified by purging, logout and login 
> again):
>
> * krbtgt/MY.DOMAIN.TLD at MY.DOMAIN.TLD
> * ldap/host.my.domain.tld/my.domain.tld at MY.DOMAIN.TLD
> * host/host.my.domain.tld at MY.DOMAIN.TLD
>
> However, IE or FF are still sending NTLM tickets. Any clue?
> --
> Julien ALLANOS
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list