kerberos authentication for apache on windows
Frank Balluffi
frank.balluffi at db.com
Fri Jun 3 14:17:01 EDT 2005
Julien ALLANOS said:
> I've just installed ethereal on the client, but I want to know which
> ports do I
> have to listen to to get KDC messages (cause a lot of packets are
catched up
> without using a filter, and filtering on port 80 only isn't sufficient I
> believe to see dialogs between client SSPI layer and KDC. Actually, I
have the
> same box for the client (web browser), the web server and the KDC, maybe
the
> problem comes from that...
>
> So why my web browsers are sending NTLM tokens in the Authroziation
header,
> instead of SPNEGO tokens?
For IE, follow the directions on
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
(I think someone has already made this point), including shutting down ALL
instances of IE and restarting IE.
Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO.
I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).
I have seen IE send NTLM tokens under the following circumstances:
1. web server sends IE the following:
HTTP/1.1 401 Authorization Required
...
WWW-Authenticate: NTLM
...
2. IE is NOT configured as above and web server sends IE the following:
HTTP/1.1 401 Authorization Required
...
WWW-Authenticate: Negotiate
...
mod_spnego sends WWW-Authenticate: Negotiate. So if you are using
mod_spnego, read Microsoft's directions very carefully.
Sniff the following traffic:
HTTP between IE and web server (usually port 80)
Kerberos between IE and KDC (usually port 88)
Frank
More information about the Kerberos
mailing list