kerberos authentication for apache on windows

Frank Balluffi frank.balluffi at db.com
Fri Jun 3 14:17:01 EDT 2005


Julien ALLANOS said:

> I've just installed ethereal on the client, but I want to know which 
> ports do I
> have to listen to to get KDC messages (cause a lot of packets are 
catched up
> without using a filter, and filtering on port 80 only isn't sufficient I
> believe to see dialogs between client SSPI layer and KDC. Actually, I 
have the
> same box for the client (web browser), the web server and the KDC, maybe 
the
> problem comes from that...
> 
> So why my web browsers are sending NTLM tokens in the Authroziation 
header,
> instead of SPNEGO tokens?

For IE, follow the directions on 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp 
(I think someone has already made this point), including shutting down ALL 
instances of IE and restarting IE.

Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO. 
I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary).

I have seen IE send NTLM tokens under the following circumstances:

1. web server sends IE the following:

HTTP/1.1 401 Authorization Required
...
WWW-Authenticate: NTLM
...

2. IE is NOT configured as above and web server sends IE the following:

HTTP/1.1 401 Authorization Required
...
WWW-Authenticate: Negotiate
...

mod_spnego sends WWW-Authenticate: Negotiate. So if you are using 
mod_spnego, read Microsoft's directions very carefully.

Sniff the following traffic:

HTTP between IE and web server (usually port 80)
Kerberos between IE and KDC (usually port 88)

Frank


More information about the Kerberos mailing list