IE using NTLM instead of Kerberos?

Jason Fenner jfenner at Vitamix.com
Fri Feb 17 17:08:09 EST 2006


Hello.

I have installed the Kerberos MIT package and am using mod_auth_kerb to 
authenticate to my apache server via Internet Explorer.  The KDC is a 
Windows 2003, which also acts as our Domain Controller in a Active 
Directory network. 

Below is the log snipet I keep getting when I hit the protected web site 
with Internet Explorer on a XP workstation that is authenticated to the 
domain.

[Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1322): [client 
10.30.200.24] kerb_authenticate_user entered with user (NULL) and 
auth_type Kerberos
[Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1322): [client 
10.30.200.24] kerb_authenticate_user entered with user (NULL) and 
auth_type Kerberos
[Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1023): [client 
10.30.200.24] Acquiring creds for HTTP/rt.vitamix.com at VITAMIX.COM
[Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1152): [client 
10.30.200.24] Verifying client data using KRB5 GSS-API
[Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1168): [client 
10.30.200.24] Verification returned code 589824
[Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1194): [client 
10.30.200.24] Warning: received token seems to be NTLM, which isn't 
supported by the Kerberos module. Check your IE configuration.
[Fri Feb 17 17:04:01 2006] [error] [client 10.30.200.24] 
gss_accept_sec_context() failed: A token was invalid (Token header is 
malformed or corrupt)

I have followed these instruction completely: 
http://www.grolmsnet.de/kerbtut/

The research I have done so far shows that IE will try kerberos first, 
and then fail over to NTLM.  So I assume that my kerberos with MIT's 
package is failing for some reason.  Does any one have any idea on what 
may be causing this?  This SPN and the keytab file all look fine.  I'm 
really stumped.  Any one up for a challenge and want to help me out here?

Thanks in advance!




More information about the Kerberos mailing list