Windows Clients Won't Do Kerberos

Jeffrey Altman jaltman2 at
Fri Jun 30 00:10:35 EDT 2006

Michael B Allen wrote:

> It could be (2). But it's not specific to IE because the wsh script
> generates the same error and it just uses the WinHttpRequest interface. So
> it would have to be an machine level or "Global Policy" type of setting.
> It could be (4) if there's something wrong with the account. As per my
> instructions he created a Computer account and ran ktpass to generate
> an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
> DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
> the keytab credential was used successfully by the installer to query
> an AD group I'm thinking this isn't the problem.

Do you have a network monitor?  If so, look for HTTP service ticket
requests that are being denied.  If you don't see them, then you most
likely have not added the host url to the Trusted Sites list.  This
is required in order for WinHttpRequest or IE to perform Kerberos

Jeffrey Altman

More information about the Kerberos mailing list