Internet Explorer is using NTLM insted of Kerberos

Kent Wu kwu at xsigo.com
Mon Sep 19 13:29:59 EDT 2005


My experience is that IE has never used kerberos, it's always been NTLM
even though AD understands both Kerberos and NTLM (through SPNEGO).   

Hope this helps.

-Kent

On Thu, 2005-09-15 at 16:49 -0700, Eitan wrote:
> Hi,
> Not sure if this is the correct place to post this question so I'm
> sorry if it's not.
> 
> I've created in a test environment the following configuration:
> - PC A: Running Windows 2003 as active directory domain controller.
> - PC B: Windows XP Pro (that was added to the AD) logged on to the AD.
> - PC C: Simply running a sniffer.
> 
> Now..
> Having read this :
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx
> 
> I fixed what was stated in this article (added the AD server to the
> correct zone on the XP client, and made sure that the Integrated logon
> was checked)
> After this setup I was ready to start the browser and post a request
> for a simple "Hello world" page on the AD server (and yes , the URL was
> constructed with the FQDN of the Ad and not it's IP)
> 
> When the TCP stream was decoded by the sniffer I found that the server
> sent a single "Authorization" header to the client stating "Negotiate"
> and the client sent an NTLM keys (decoded into "NTLMSSP" string)
> no mater what I tried I keep getting those NTLM sessions and no
> Kerberos.
> 
> Eitan.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Kent Wu <kwu at xsigo.com>
XSIGO INC.


More information about the Kerberos mailing list