Windows Clients Won't Do Kerberos
Michael B Allen
mba2000 at ioplex.com
Thu Jun 29 19:05:22 EDT 2006
That sounds interesting. Note that the customer ran kerbtray and
it shows he has tickets for stuff like cifs/server at REALM.NET and
host/whatever at REALM.NET. So it looks like the workstations CAN do
Kerberos, they just don't want to do it with the HTTP SPN.
But the group policy thing sounds interesting. I'll check it out.
Thanks,
Mike
On Thu, 29 Jun 2006 14:09:13 -0700
chris.rowland at areva-td.com wrote:
> Turn off NTLM with Group Policy
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of mba2000 at ioplex.com
> Sent: Thursday, June 29, 2006 1:37 PM
> To: kerberos at mit.edu
> Subject: Windows Clients Won't Do Kerberos
>
>
> I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
> customer and it's not working for them. The client is always asking for
> NTLM. It never even tries Kerberos. I know it's not browser settings
> because I wrote a simple wsh script and it too only tries NTLMSSP (whereas
> on my test network it works fine).
>
> Can anyone think of a reason why XP clients would refuse to try Kerberos
> when accessing services (e.g. HTTP)? I've been through all the usual
> reasons but we just can't get it to work. Is there some kind of mode that
> a Windows domain controller can run in that causes all clients not to do
> Kerberos at all? Can anyone recommend a diagnostic?
>
> Thanks,
> Mike
>
> --
> Michael B Allen
> PHP Extension for SSO w/ Windows Group Authorization
> http://www.ioplex.com/ ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
More information about the Kerberos
mailing list