windows browsers send ntlm instead of kerberos tokens
Markus Moeller
huaraz at moeller.plus.com
Tue Aug 30 04:07:53 EDT 2005
Julian,
I think creating a keytab with HTTP/host.my.domain.tld at MY.DOMAIN.TLD should be
enough.
Regards
Markus
Julien ALLANOS wrote:
>
> Quoting Markus <markus_moeller at compuserve.com>:
>
>> Julien,
>>
>> as far as I am aware you can not use cnames. Normally the
>> client/server uses a call to gss_import_name which canonicalises the
>> hostname from the cname to the A record. If you capture the traffic on
>> port 88 on the client you should see a TGS-REQ for
>> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>>
>> Regards
>> Markus
>>
>
> As I've already said before, I see no traffic between the client and the
> server
> (port 88). The client immediately send a NTLM token.
>
> If I could make Kerberos working, do you think a keytab with
> HTTP/host.my.domain.tld at MY.DOMAIN.TLD would be enough?
More information about the Kerberos
mailing list