Fwd: NTLM vs Kerberos again
peter huang
peter.huang at hp.com
Thu Nov 3 18:07:45 EST 2005
IE browser can only access MS kerberos ticket cache and which can only be
initialized in login screen. Microsoft has documented how to support
standalone (workgroup) client using third party KDC thru ksetup as doug
suggested. Furthermore, the web server must be in "local intranet" zone
before IE do kerberos authentication.
-peter huang
""Douglas E. Engert"" <deengert at anl.gov> wrote in message
news:436A2CF0.1060807 at anl.gov...
>
>
> Sergey Koulik wrote:
>
>> Thank you for your reply. But my problem is that I do not either use
>> Active
>> Directory or connected to microsoft domain. What I want is to made
>> browser
>> send kerberos tickets to MIT KDC and not fallback to NTLM
>> authentification.
>
> Have you run ksetup on the client so Windows knows about Kerberos?
>
> Do you then login to the workstation using Kerberos?
>
> The point is IE would only use Kerberos if the ser has tickets in its
> cache.
> You can use the kerbtray and the klist commands to see the tickets.
> ksetup, kerbtray and klist are Micrsoft commands in resource ket, I
> believe.
>
>
>
>>
>> 2005/11/3, Sung Ho Jee <jee.sung at ansaldo-signal.com.au>:
>>
>>>
>>>Although the page below was written for mod_auth_gss_krb5, I believe the
>>>IE6 settings remain the same.
>>>
>>>- Single Sign-on for your web applications with Apache and Kerberos
>>>http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=1
>>>
>>>
>>>Regards,
>>>
>>>Sung.
>>>
>>>
>>>
>>>*Sergey Koulik <skoulik at gmail.com>*
>>>Sent by: kerberos-bounces at mit.edu
>>>
>>>03/11/2005 12:22 PM
>>>
>>>To: kerberos at mit.edu
>>>cc:
>>>Subject: Fwd: NTLM vs Kerberos again
>>>
>>>
>>>Hi all,
>>>
>>>I am forwarding the message to kerberos mail list, because my problem is
>>>somehow related with kerberos. I am not sure anyone in the list is
>>>familiar
>>>with apache module mod_auth_kerb I am talking about, but I hope anyone is
>>>and he could help me.
>>>My problem is that windows client (for exasmple MS IE) chooses to talk
>>>NTLM
>>>when it receives WWW-Authentificate: Negotiate HTTP header. I know that
>>>IE
>>>could talk Kerberos as well but for some reason it does not and I don't
>>>know
>>>how to configure it to talk Kerberos.
>>>
>>>
>>>---------- Forwarded message ----------
>>>From: Sergey Koulik <skoulik at gmail.com>
>>>Date: 03.11.2005 14:13
>>>Subject: NTLM vs Kerberos again
>>>To: modauthkerb-help at lists.sourceforge.net
>>>
>>>Hi all,
>>>
>>>I have examined mail archive. But I still don't see correct solution.
>>>I want to force my windows clients to use Kerberos authentification
>>>instead
>>>of NTLM when contacting web server kerberized with mod_auth_kerb. I use
>>>MIT
>>>kerberos KDC located at lunux machine. My windows XP machine is not
>>>connected to any domain.
>>>Did anyone get it work?
>>>Does anyone have step-by-step documentation how to configure MIT KDC,
>>>mod_auth_kerb and clients to use Kerberos instead of NTLM?
>>>
>>>--
>>>Sincerely,
>>>Sergey Koulik
>>>
>>>--
>>>Sincerely,
>>>Sergey Koulik
>>>________________________________________________
>>>Kerberos mailing list Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>
>>
>>
>>
>> --
>> Sincerely,
>> Sergey Koulik
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list