Internet Explorer is using NTLM insted of Kerberos
Kent Wu
kwu at xsigo.com
Mon Sep 19 13:29:59 EDT 2005
My experience is that IE has never used kerberos, it's always been NTLM
even though AD understands both Kerberos and NTLM (through SPNEGO).
Hope this helps.
-Kent
On Thu, 2005-09-15 at 16:49 -0700, Eitan wrote:
> Hi,
> Not sure if this is the correct place to post this question so I'm
> sorry if it's not.
>
> I've created in a test environment the following configuration:
> - PC A: Running Windows 2003 as active directory domain controller.
> - PC B: Windows XP Pro (that was added to the AD) logged on to the AD.
> - PC C: Simply running a sniffer.
>
> Now..
> Having read this :
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx
>
> I fixed what was stated in this article (added the AD server to the
> correct zone on the XP client, and made sure that the Integrated logon
> was checked)
> After this setup I was ready to start the browser and post a request
> for a simple "Hello world" page on the AD server (and yes , the URL was
> constructed with the FQDN of the Ad and not it's IP)
>
> When the TCP stream was decoded by the sniffer I found that the server
> sent a single "Authorization" header to the client stating "Negotiate"
> and the client sent an NTLM keys (decoded into "NTLMSSP" string)
> no mater what I tried I keep getting those NTLM sessions and no
> Kerberos.
>
> Eitan.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Kent Wu <kwu at xsigo.com>
XSIGO INC.
More information about the Kerberos
mailing list