Windows Clients Won't Do Kerberos
Michael B Allen
mba2000 at ioplex.com
Fri Jun 30 02:47:19 EDT 2006
On Fri, 30 Jun 2006 04:10:35 GMT
Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
> Michael B Allen wrote:
> > It could be (2). But it's not specific to IE because the wsh script
> > generates the same error and it just uses the WinHttpRequest interface. So
> > it would have to be an machine level or "Global Policy" type of setting.
> > It could be (4) if there's something wrong with the account. As per my
> > instructions he created a Computer account and ran ktpass to generate
> > an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
> > DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
> > the keytab credential was used successfully by the installer to query
> > an AD group I'm thinking this isn't the problem.
> Do you have a network monitor? If so, look for HTTP service ticket
> requests that are being denied.
Yeah. I just worked out exactly how to install netcap.exe on XP and
get a capture. I think it is indeed something wrong with trying to
acquire the HTTP sercice ticket. If I disable the Computer account in
my environment I get exactly the same behavior as the customer. IE gets
KRB5KDC_ERR_S_UNKNOWN_PRINCIPAL and falls back to NTLM.
> If you don't see them, then you most
> likely have not added the host url to the Trusted Sites list. This
> is required in order for WinHttpRequest or IE to perform Kerberos
Interesting. So that also affects WinHttpResuest. Regardless we've
been over that twice already. The customer definitely has that
set. Incedentially I think the proper method is to add the domain to
the IntrAnet zone like 'http://*.foo.net'. I think the Trusted Sites list
is more for IntErnet sites like http://download.microsoft.com, etc.
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
More information about the Kerberos