windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS julien.allanos at aql.fr
Mon Aug 29 04:03:27 EDT 2005


Quoting Markus Moeller <huaraz at moeller.plus.com>:

> Also can you do a kinit -k -t keytab HTTP/server successfully ?
>
> Markus
>
>
> "Julien ALLANOS" <julien.allanos at aql.fr> wrote in message
> news:20050826172317.ta37izpe744kosc8 at webmail.aql.fr...
>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>
>>> Julien ALLANOS wrote:
>>>
>>>> Quoting Jeffrey Altman <jaltman2 at nyc.rr.com>:
>>>>
>>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>>> support.   If you want them to have Kerberos credentials, Windows must
>>>>> obtain them for you when you login to Windows using an Active Directory
>>>>> account.
>>>>>
>>>>> Jeffrey Altman
>>>>
>>>>
>>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>>> credentials at login, that FF or IE might be able to use after?
>>>
>>> Since you have MIT KFW installed you can list the contents of the
>>> MSLSA ccache with
>>>
>>> klist -c MSLSA:
>>>
>>> Otherwise, you can install one of the Microsoft tools such as
>>> kerbtray.exe that are available from the Microsoft download web site.
>>>
>>
>> Thanks.
>>
>> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
>> given
>> to me at login (verified by purging, logout and login again):
>>
>> * krbtgt/MY.DOMAIN.TLD at MY.DOMAIN.TLD
>> * ldap/host.my.domain.tld/my.domain.tld at MY.DOMAIN.TLD
>> * host/host.my.domain.tld at MY.DOMAIN.TLD
>>
>> However, IE or FF are still sending NTLM tickets. Any clue?

OK guys, thanks for your answsers.

Yes, my browsers are correctly configured.

Actually it might be a hostname issue: the domain is my.domain.tld, my
webserver/AD/KDC is host.my.domain.tld and has a CNAME for my.domain.tld. I
also want to access the webserver via http://my.domain.tld/. The keytab was
generated for the HTTP/host.my.domain.tld at MY.DOMAIN.TLD principal, that's why:

  kinit -5 -k -t keytab HTTP/host.my.domain.tld at MY.DOMAIN.TLD

works, but not:

  kinit -5 -k -t keytab HTTP/my.domain.tld at MY.DOMAIN.TLD

The strange thing is that I've added another box to the domain, added both
hostnames to FF's auto nego parameters and tried to access both URLs from this
new box, but I get the same thing (a NTLM token is sent), and ethereal doesn't
show any traffic on TCP port 88.

Any help please?
-- 
Julien ALLANOS


More information about the Kerberos mailing list