Fwd: NTLM vs Kerberos again

Douglas E. Engert deengert at anl.gov
Thu Nov 3 10:29:52 EST 2005 


Sergey Koulik wrote:

> Thank you for your reply. But my problem is that I do not either use Active
> Directory or connected to microsoft domain. What I want is to made browser
> send kerberos tickets to MIT KDC and not fallback to NTLM authentification.

Have you run ksetup on the client so Windows knows about Kerberos?

Do you then login to the workstation using Kerberos?

The point is IE would only use Kerberos if the ser has tickets in its cache.
You can use the kerbtray and the klist commands to see the tickets.
ksetup, kerbtray and klist are Micrsoft commands in resource ket, I believe.



> 
> 2005/11/3, Sung Ho Jee <jee.sung at ansaldo-signal.com.au>:
> 
>>
>>Although the page below was written for mod_auth_gss_krb5, I believe the
>>IE6 settings remain the same.
>>
>>- Single Sign-on for your web applications with Apache and Kerberos
>>http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=1
>>
>>
>>Regards,
>>
>>Sung.
>>
>>
>>
>>*Sergey Koulik <skoulik at gmail.com>*
>>Sent by: kerberos-bounces at mit.edu
>>
>>03/11/2005 12:22 PM
>>
>>To: kerberos at mit.edu
>>cc:
>>Subject: Fwd: NTLM vs Kerberos again
>>
>>
>>Hi all,
>>
>>I am forwarding the message to kerberos mail list, because my problem is
>>somehow related with kerberos. I am not sure anyone in the list is
>>familiar
>>with apache module mod_auth_kerb I am talking about, but I hope anyone is
>>and he could help me.
>>My problem is that windows client (for exasmple MS IE) chooses to talk
>>NTLM
>>when it receives WWW-Authentificate: Negotiate HTTP header. I know that IE
>>could talk Kerberos as well but for some reason it does not and I don't
>>know
>>how to configure it to talk Kerberos.
>>
>>
>>---------- Forwarded message ----------
>>From: Sergey Koulik <skoulik at gmail.com>
>>Date: 03.11.2005 14:13
>>Subject: NTLM vs Kerberos again
>>To: modauthkerb-help at lists.sourceforge.net
>>
>>Hi all,
>>
>>I have examined mail archive. But I still don't see correct solution.
>>I want to force my windows clients to use Kerberos authentification
>>instead
>>of NTLM when contacting web server kerberized with mod_auth_kerb. I use
>>MIT
>>kerberos KDC located at lunux machine. My windows XP machine is not
>>connected to any domain.
>>Did anyone get it work?
>>Does anyone have step-by-step documentation how to configure MIT KDC,
>>mod_auth_kerb and clients to use Kerberos instead of NTLM?
>>
>>--
>>Sincerely,
>>Sergey Koulik
>>
>>--
>>Sincerely,
>>Sergey Koulik
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
> 
> 
> 
> --
> Sincerely,
> Sergey Koulik
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list