Windows Clients Won't Do Kerberos

Michael B Allen mba2000 at
Thu Jun 29 19:05:22 EDT 2006

That sounds interesting. Note that the customer ran kerbtray and
it shows he has tickets for stuff like cifs/server at REALM.NET and
host/whatever at REALM.NET. So it looks like the workstations CAN do
Kerberos, they just don't want to do it with the HTTP SPN.

But the group policy thing sounds interesting. I'll check it out.


On Thu, 29 Jun 2006 14:09:13 -0700
chris.rowland at wrote:

> Turn off NTLM with Group Policy 
> -----Original Message-----
> From: kerberos-bounces at [mailto:kerberos-bounces at] On Behalf
> Of mba2000 at
> Sent: Thursday, June 29, 2006 1:37 PM
> To: kerberos at
> Subject: Windows Clients Won't Do Kerberos
> I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
> customer and it's not working for them. The client is always asking for
> NTLM. It never even tries Kerberos. I know it's not browser settings
> because I wrote a simple wsh script and it too only tries NTLMSSP (whereas
> on my test network it works fine).
> Can anyone think of a reason why XP clients would refuse to try Kerberos
> when accessing services (e.g. HTTP)? I've been through all the usual
> reasons but we just can't get it to work. Is there some kind of mode that
> a Windows domain controller can run in that causes all clients not to do
> Kerberos at all? Can anyone recommend a diagnostic?
> Thanks,
> Mike
> -- 
> Michael B Allen
> PHP Extension for SSO w/ Windows Group Authorization
> ________________________________________________
> Kerberos mailing list           Kerberos at

Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization

More information about the Kerberos mailing list