windows browsers send ntlm instead of kerberos tokens

Markus Moeller huaraz at moeller.plus.com
Tue Aug 30 04:07:53 EDT 2005


Julian,

I think creating a keytab with HTTP/host.my.domain.tld at MY.DOMAIN.TLD should be
enough.

Regards
Markus

Julien ALLANOS wrote:
> 
> Quoting Markus <markus_moeller at compuserve.com>:
> 
>> Julien,
>>
>> as far as I am aware you can not use cnames. Normally the 
>> client/server uses a call to gss_import_name which canonicalises the 
>> hostname from the cname to the A record. If you capture the traffic on 
>> port 88 on the client you should see a TGS-REQ for 
>> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>>
>> Regards
>> Markus
>>
> 
> As I've already said before, I see no traffic between the client and the 
> server
> (port 88). The client immediately send a NTLM token.
> 
> If I could make Kerberos working, do you think a keytab with
> HTTP/host.my.domain.tld at MY.DOMAIN.TLD would be enough?




More information about the Kerberos mailing list