windows browsers send ntlm instead of kerberos tokens
vadim
vadim.tarassov at swissonline.ch
Sat Aug 27 06:39:45 EDT 2005
Probably silly question ... Have you enabled "windows integrated
authentication" in IE? Is your http server in the "trusted zone"?
best regards, vadim tarassov.
On Fri, 2005-08-26 at 17:23 +0200, Julien ALLANOS wrote:
> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>
> > Julien ALLANOS wrote:
> >
> >> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
> >>
> >>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
> >>> support. If you want them to have Kerberos credentials, Windows must
> >>> obtain them for you when you login to Windows using an Active Directory
> >>> account.
> >>>
> >>> Jeffrey Altman
> >>
> >>
> >> OK, but how can I be certain that Windows did really obtain the Kerberos
> >> credentials at login, that FF or IE might be able to use after?
> >
> > Since you have MIT KFW installed you can list the contents of the
> > MSLSA ccache with
> >
> > klist -c MSLSA:
> >
> > Otherwise, you can install one of the Microsoft tools such as
> > kerbtray.exe that are available from the Microsoft download web site.
> >
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
> to me at login (verified by purging, logout and login again):
>
> * krbtgt/MY.DOMAIN.TLD at MY.DOMAIN.TLD
> * ldap/host.my.domain.tld/my.domain.tld at MY.DOMAIN.TLD
> * host/host.my.domain.tld at MY.DOMAIN.TLD
>
> However, IE or FF are still sending NTLM tickets. Any clue?
--
vadim <vadim.tarassov at swissonline.ch>
More information about the Kerberos
mailing list