Fwd: NTLM vs Kerberos again

Douglas E. Engert deengert at anl.gov
Thu Nov 3 20:23:16 EST 2005 


peter huang wrote:

> IE browser can only access MS kerberos ticket cache and which can only be 
> initialized in login screen.  Microsoft has documented how to support 
> standalone (workgroup) client using third party KDC thru ksetup as doug 
> suggested.  Furthermore, the web server must be in "local intranet" zone 
> before IE do kerberos authentication.

You might also be able to start it from:
  runas /netonly /user:<user>@<realm> "C:\Program Files\Internet Explorer\IEXPLORE.EXE"


> 
> -peter huang
> 
> 
>  ""Douglas E. Engert"" <deengert at anl.gov> wrote in message 
> news:436A2CF0.1060807 at anl.gov...
> 
>>
>>Sergey Koulik wrote:
>>
>>
>>>Thank you for your reply. But my problem is that I do not either use 
>>>Active
>>>Directory or connected to microsoft domain. What I want is to made 
>>>browser
>>>send kerberos tickets to MIT KDC and not fallback to NTLM 
>>>authentification.
>>
>>Have you run ksetup on the client so Windows knows about Kerberos?
>>
>>Do you then login to the workstation using Kerberos?
>>
>>The point is IE would only use Kerberos if the ser has tickets in its 
>>cache.
>>You can use the kerbtray and the klist commands to see the tickets.
>>ksetup, kerbtray and klist are Micrsoft commands in resource ket, I 
>>believe.
>>
>>
>>
>>
>>>2005/11/3, Sung Ho Jee <jee.sung at ansaldo-signal.com.au>:
>>>
>>>
>>>>Although the page below was written for mod_auth_gss_krb5, I believe the
>>>>IE6 settings remain the same.
>>>>
>>>>- Single Sign-on for your web applications with Apache and Kerberos
>>>>http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=1
>>>>
>>>>
>>>>Regards,
>>>>
>>>>Sung.
>>>>
>>>>
>>>>
>>>>*Sergey Koulik <skoulik at gmail.com>*
>>>>Sent by: kerberos-bounces at mit.edu
>>>>
>>>>03/11/2005 12:22 PM
>>>>
>>>>To: kerberos at mit.edu
>>>>cc:
>>>>Subject: Fwd: NTLM vs Kerberos again
>>>>
>>>>
>>>>Hi all,
>>>>
>>>>I am forwarding the message to kerberos mail list, because my problem is
>>>>somehow related with kerberos. I am not sure anyone in the list is
>>>>familiar
>>>>with apache module mod_auth_kerb I am talking about, but I hope anyone is
>>>>and he could help me.
>>>>My problem is that windows client (for exasmple MS IE) chooses to talk
>>>>NTLM
>>>>when it receives WWW-Authentificate: Negotiate HTTP header. I know that 
>>>>IE
>>>>could talk Kerberos as well but for some reason it does not and I don't
>>>>know
>>>>how to configure it to talk Kerberos.
>>>>
>>>>
>>>>---------- Forwarded message ----------
>>>>From: Sergey Koulik <skoulik at gmail.com>
>>>>Date: 03.11.2005 14:13
>>>>Subject: NTLM vs Kerberos again
>>>>To: modauthkerb-help at lists.sourceforge.net
>>>>
>>>>Hi all,
>>>>
>>>>I have examined mail archive. But I still don't see correct solution.
>>>>I want to force my windows clients to use Kerberos authentification
>>>>instead
>>>>of NTLM when contacting web server kerberized with mod_auth_kerb. I use
>>>>MIT
>>>>kerberos KDC located at lunux machine. My windows XP machine is not
>>>>connected to any domain.
>>>>Did anyone get it work?
>>>>Does anyone have step-by-step documentation how to configure MIT KDC,
>>>>mod_auth_kerb and clients to use Kerberos instead of NTLM?
>>>>
>>>>--
>>>>Sincerely,
>>>>Sergey Koulik
>>>>
>>>>--
>>>>Sincerely,
>>>>Sergey Koulik
>>>>________________________________________________
>>>>Kerberos mailing list Kerberos at mit.edu
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>--
>>>Sincerely,
>>>Sergey Koulik
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>>-- 
>>
>> Douglas E. Engert  <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list