Windows Clients Won't Do Kerberos

Jeffrey Hutzelman jhutz at
Thu Jun 29 21:04:29 EDT 2006

On Thursday, June 29, 2006 07:12:53 PM -0400 Michael B Allen 
<mba2000 at> wrote:

> I have confirmed with a packet capture that the client never tries
> Kerberos. It just tries raw NTLMSSP. No SPNEGO.
> Finally, the installer on the Linux machine validates the keytab
> credential with krb5_get_init_creds_keytab and then does a DCE/RPC group
> lookup against the DC. It was successful. So the SPN and it's credential
> is valid.

If it's never even trying negotiate, then one of these must be true:
(1) It doesn't support it
(2) It's configured not to use it
(3) The server doesn't claim support it
(4) It can't get a ticket

Since you have another client which also fails, (1) and (2) seem unlikely. 
And, since you have other tickets, and you've demonstrated that the service 
principal exists, (4) also seems unlikely.  So, I'm going to guess that 
your server is broken, and doesn't claim to support that mechanism.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list