Windows Clients Won't Do Kerberos
Jeffrey Altman
jaltman2 at nyc.rr.com
Fri Jun 30 00:10:35 EDT 2006
Michael B Allen wrote:
> It could be (2). But it's not specific to IE because the wsh script
> generates the same error and it just uses the WinHttpRequest interface. So
> it would have to be an machine level or "Global Policy" type of setting.
>
> It could be (4) if there's something wrong with the account. As per my
> instructions he created a Computer account and ran ktpass to generate
> an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
> DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
> the keytab credential was used successfully by the installer to query
> an AD group I'm thinking this isn't the problem.
Do you have a network monitor? If so, look for HTTP service ticket
requests that are being denied. If you don't see them, then you most
likely have not added the host url to the Trusted Sites list. This
is required in order for WinHttpRequest or IE to perform Kerberos
negotiate.
Jeffrey Altman
More information about the Kerberos
mailing list