Windows Clients Won't Do Kerberos
Jeffrey Hutzelman
jhutz at cmu.edu
Thu Jun 29 21:04:29 EDT 2006
On Thursday, June 29, 2006 07:12:53 PM -0400 Michael B Allen
<mba2000 at ioplex.com> wrote:
> I have confirmed with a packet capture that the client never tries
> Kerberos. It just tries raw NTLMSSP. No SPNEGO.
>
> Finally, the installer on the Linux machine validates the keytab
> credential with krb5_get_init_creds_keytab and then does a DCE/RPC group
> lookup against the DC. It was successful. So the SPN and it's credential
> is valid.
If it's never even trying negotiate, then one of these must be true:
(1) It doesn't support it
(2) It's configured not to use it
(3) The server doesn't claim support it
(4) It can't get a ticket
Since you have another client which also fails, (1) and (2) seem unlikely.
And, since you have other tickets, and you've demonstrated that the service
principal exists, (4) also seems unlikely. So, I'm going to guess that
your server is broken, and doesn't claim to support that mechanism.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list