Windows Clients Won't Do Kerberos

Michael B Allen mba2000 at
Thu Jun 29 19:12:53 EDT 2006

On Thu, 29 Jun 2006 16:12:22 -0500
"Christopher D. Clausen" <cclausen at> wrote:

> Michael B Allen <mba2000 at> wrote:
> > I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
> > customer and it's not working for them. The client is always asking
> > for NTLM. It never even tries Kerberos. I know it's not browser
> > settings because I wrote a simple wsh script and it too only tries
> > NTLMSSP (whereas on my test network it works fine).
> >
> > Can anyone think of a reason why XP clients would refuse to try
> > Kerberos when accessing services (e.g. HTTP)? I've been through all
> > the usual reasons but we just can't get it to work. Is there some
> > kind of mode that a Windows domain controller can run in that causes
> > all clients not to do Kerberos at all? Can anyone recommend a
> > diagnostic?
> Are the users logged on to Windows with Domain credentials?  Local 
> accounts would not have Kerberos credentials.
> Is the domain operating at the "Windows 2000" level?  NT4 domains do not 
> support Kerberos.
> Is the website in the "Trusted Sites" zone in Internet Explorer 
> (assuming that you are trying with Internet Explorer.)
> Find and download klist.exe from Microsoft and use it to look at the 
> SSPI ticket cache.  You should see a HTTP/fqdn.domain ticket show up 
> when the site in question is contacted if everything is working as it 
> should.

Yes. Yes and yup. The customer ran kerbtray and he has tickets for all
sorts of stuff.

I don't think it has anything to do with IE because 1) the wsh script
I provided generates the same error (GSS_S_BAD_MECH because we can't
accept raw NTLMSSP tokens) and 2) he's never presented with a Network
Password Dialog.

I have confirmed with a packet capture that the client never tries
Kerberos. It just tries raw NTLMSSP. No SPNEGO.

Finally, the installer on the Linux machine validates the keytab
credential with krb5_get_init_creds_keytab and then does a DCE/RPC group
lookup against the DC. It was successful. So the SPN and it's credential
is valid.

It's like there's some kind of group policy getting in the way or maybe
the Windows client is failing to get the ticket for some other reason.

I'm so stumped.


Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization

More information about the Kerberos mailing list