windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS julien.allanos at aql.fr
Tue Aug 30 03:35:40 EDT 2005


Quoting Markus <markus_moeller at compuserve.com>:

> Julien,
>
> as far as I am aware you can not use cnames. Normally the 
> client/server uses a call to gss_import_name which canonicalises the 
> hostname from the cname to the A record. If you capture the traffic 
> on port 88 on the client you should see a TGS-REQ for 
> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>
> Regards
> Markus
>

As I've already said before, I see no traffic between the client and 
the server
(port 88). The client immediately send a NTLM token.

If I could make Kerberos working, do you think a keytab with
HTTP/host.my.domain.tld at MY.DOMAIN.TLD would be enough?
-- 
Julien ALLANOS


More information about the Kerberos mailing list