IE using NTLM instead of Kerberos?

Jason Fenner jfenner at Vitamix.com
Mon Feb 20 09:37:39 EST 2006 

As an update, I ran:
kinit HTTP/rt.vitamix.com

and supplied the requested password.  This was successful.
However, when running:
kvno HTTP/rt.vitamix.com

I got:
HTTP/rt.vitamix.com at VITAMIX.COM: Server not found in Kerberos database 
while getting credentials

klist had this output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/rt.vitamix.com at VITAMIX.COM

Valid starting     Expires            Service principal
02/20/06 09:33:59  02/20/06 19:33:59  krbtgt/VITAMIX.COM at VITAMIX.COM
        renew until 02/21/06 09:33:59


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


Jason Fenner wrote:

>Ok,
>
>I ran that command and go the following:
>kvno: No credentials cache found while getting client principal name
>
>I notice that it says "client principal name", does this mean that I 
>also need a key called:
>host/rt.vitamix.com
>
>Or does "client" just refer to the principal name that I queried?
>
>What does this message indicate?
>
>Here is my /etc/krb5.conf file too:
>
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> clockskew = 300
>
>[libdefaults]
> ticket_lifetime = 24000
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
>
>[realms]
> VITAMIX.COM = {
>  kdc = dc1.domain.com:88
>  admin_server = dc1.domain.com
>
> }
>
> GOLDENEYE = {
>  kdc = dc1.vitamix.com
>  admin_server = dc1.domain.com
>  default_domain = DOMAIN.COM
>}
>
>[domain_realm]
>   rt.vitamix.com = DOMAIN.COM
>
>#[kdc]
># profile = /var/kerberos/krb5kdc/kdc.conf
>
>[appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
>
>[logging]
>FILE=/var/krb5/kdc.log
>
>
>Achim Grolms wrote:
>
>  
>
>>On Friday 17 February 2006 23:08, Jason Fenner wrote:
>>
>> 
>>
>>    
>>
>>>I have followed these instruction completely:
>>>http://www.grolmsnet.de/kerbtut/
>>>
>>>The research I have done so far shows that IE will try kerberos first,
>>>and then fail over to NTLM.  
>>>   
>>>
>>>      
>>>
>>please run 
>>
>>kvno HTTP/rt.vitamix.com
>>
>>to see if the Kerberos principal exists.
>>
>>The mod_auth_kerb mailinglist is
>>
>>modauthkerb-help at lists.sourceforge.net
>>
>>
>>Achim
>>
>> 
>>
>>    
>>
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>

More information about the Kerberos mailing list